From 76fa325f084d2d3ee613462740443c0c585bda19 Mon Sep 17 00:00:00 2001
From: Clement Michaud <c.michaud@criteo.com>
Date: Sun, 3 Mar 2019 23:51:52 +0100
Subject: [PATCH] [BREAKING] Create a suite for kubernetes tests.

Authelia client uses hash router instead of browser router in order to work
with Kubernetes nginx-ingress-controller. This is also better for users having
old browsers.

This commit is breaking because it requires to change the configuration of the
proxy to include the # in the URL of the login portal.
---
 .gitignore                                    |   1 +
 .travis.yml                                   |   8 +-
 README.md                                     |  14 +-
 bootstrap.sh                                  |  49 +++++
 client/src/App.tsx                            |   4 +-
 .../src/behaviors/SafelyRedirectBehavior.ts   |  15 --
 .../AlreadyAuthenticated.tsx                  |   4 +-
 .../FirstFactorForm/FirstFactorForm.tsx       |   8 +-
 .../FirstFactorForm/FirstFactorForm.ts        |  16 +-
 .../SecondFactorForm/SecondFactorForm.ts      |  68 ++++---
 client/src/services/AutheliaService.ts        |  52 +++--
 .../AuthenticationView/AuthenticationView.tsx |   2 +-
 config.template.yml                           |   4 +-
 docs/authelia-scripts.md                      |  13 +-
 docs/build-and-dev.md                         |  54 ++++++
 docs/build.md                                 |  53 ------
 docs/deployment-production.md                 |   3 +-
 docs/getting-started.md                       | 107 +++++------
 docs/suites.md                                |  34 ++--
 example/compose/nginx/backend/Dockerfile      |   4 +
 .../compose/nginx/backend/docker-compose.yml  |   5 +-
 .../nginx/backend/html/home/index.html        | 119 ++++++------
 .../{single_factor => secure}/secret.html     |   0
 .../html/singlefactor}/secret.html            |   1 -
 example/compose/nginx/backend/nginx.conf      |  10 +-
 .../compose/nginx/minimal/docker-compose.yml  |  12 --
 .../nginx/minimal/html/home/index.html        |  32 ----
 example/compose/nginx/minimal/nginx.conf      |  96 ----------
 example/compose/nginx/minimal/ssl/server.csr  |  11 --
 example/compose/nginx/portal/nginx.conf.ejs   | 141 +++++++-------
 example/compose/smtp/docker-compose.yml       |   1 -
 example/kube/README.md                        |  84 ++------
 example/kube/apps/app-home/deployment.yml     |  33 ----
 example/kube/apps/app-home/index.html         |  35 ----
 example/kube/apps/app-home/service.yml        |  12 --
 example/kube/apps/app1/deployment.yml         |  33 ----
 example/kube/apps/app1/index.html             |   9 -
 example/kube/apps/app1/service.yml            |  12 --
 example/kube/apps/app1/ssl/tls.crt            |  17 --
 example/kube/apps/app1/ssl/tls.csr            |  15 --
 example/kube/apps/app1/ssl/tls.key            |  27 ---
 example/kube/apps/app2/deployment.yml         |  33 ----
 example/kube/apps/app2/index.html             |   9 -
 example/kube/apps/app2/service.yml            |  12 --
 example/kube/apps/app2/ssl/tls.crt            |  17 --
 example/kube/apps/app2/ssl/tls.csr            |  15 --
 example/kube/apps/app2/ssl/tls.key            |  27 ---
 example/kube/apps/apps.yml                    | 130 +++++++++++++
 example/kube/apps/insecure-ingress.yml        |  28 ---
 example/kube/apps/secure-ingress.yml          |  23 ---
 .../ssl/server.crt => kube/apps/ssl/tls.crt}  |   0
 .../ssl/server.key => kube/apps/ssl/tls.key}  |   0
 example/kube/authelia/configs/config.yml      | 114 +++++------
 example/kube/authelia/deployment.yml          |   3 +-
 example/kube/authelia/ingress.yml             |   4 +-
 example/kube/bootstrap-authelia.sh            |   8 +
 example/kube/bootstrap.sh                     |  32 +---
 example/kube/build_and_push.sh                |   9 -
 example/kube/dashboard/dashboard.yaml         | 179 ++++++++++++++++++
 example/kube/docker-registry/daemonset.yml    |  35 ----
 example/kube/docker-registry/ingress.yml      |  18 --
 .../docker-registry/replicationcontroller.yml |  44 -----
 example/kube/docker-registry/service.yml      |  17 --
 .../ingress-controller/default-backend.yml    |  48 -----
 .../kube/ingress-controller/deployment.yml    |  16 +-
 example/kube/ingress-controller/rbac.yml      | 141 ++++++++++++++
 example/kube/ingress-controller/service.yml   |   9 +-
 .../kube/{mailcatcher => mail}/deployment.yml |   0
 .../kube/{mailcatcher => mail}/ingress.yml    |   6 +-
 .../kube/{mailcatcher => mail}/service.yml    |   0
 example/kube/test.yml                         |  22 +++
 package-lock.json                             |  47 +++--
 package.json                                  |   8 +-
 scripts/authelia-scripts                      |   1 +
 scripts/authelia-scripts-bootstrap            |  24 +++
 scripts/authelia-scripts-docker-build         |  12 +-
 scripts/authelia-scripts-docker-publish       |  11 +-
 scripts/authelia-scripts-serve                |   1 -
 scripts/authelia-scripts-suites-start         |   9 +-
 scripts/authelia-scripts-suites-test          | 113 ++++++++---
 scripts/authelia-scripts-travis               |   5 +-
 scripts/run-environment.ts                    |  80 +++++---
 scripts/utils/docker.js                       |   3 +-
 scripts/utils/exec.js                         |   7 +-
 server/src/lib/IdentityCheckMiddleware.ts     |   2 +-
 server/src/lib/Server.ts                      |   3 +-
 server/src/lib/authorization/Authorizer.ts    |   2 -
 .../SessionConfigurationBuilder.spec.ts       |  18 +-
 .../SessionConfigurationBuilder.ts            |  31 +--
 .../src/lib/routes/firstfactor/post.spec.ts   |   2 -
 server/src/lib/routes/firstfactor/post.ts     |  15 +-
 server/src/lib/routes/redirect/post.ts        |  31 ---
 .../src/lib/routes/secondfactor/redirect.ts   |  26 ++-
 .../lib/routes/secondfactor/u2f/sign/post.ts  |   4 +-
 server/src/lib/utils/IsRedirectionSafe.ts     |  14 ++
 server/src/lib/utils/SafeRedirection.spec.ts  |  33 ----
 server/src/lib/utils/SafeRedirection.ts       |  21 --
 server/src/lib/web_server/Configurator.ts     |   6 +
 server/src/lib/web_server/RestApi.ts          |   2 -
 shared/DomainExtractor.spec.ts                |   4 +-
 shared/api.ts                                 |  17 +-
 test/helpers/ClickOn.ts                       |   4 +-
 test/helpers/ClickOnLink.ts                   |   4 +-
 test/helpers/FillField.ts                     |   4 +-
 test/helpers/FillLoginPageAndClick.ts         |   5 +-
 test/helpers/FullLogin.ts                     |   8 +-
 test/helpers/GetIdentityLink.ts               |   8 +-
 test/helpers/LoginAndRegisterTotp.ts          |   8 +-
 test/helpers/LoginAs.ts                       |   6 +-
 test/helpers/Logout.ts                        |   3 +-
 test/helpers/RegisterTotp.ts                  |   6 +-
 test/helpers/ValidateTotp.ts                  |   6 +-
 test/helpers/VisitPage.ts                     |   2 +-
 test/helpers/assertions/VerifyBodyContains.ts |   9 +
 .../assertions/VerifySecretObserved.ts        |   9 +-
 test/helpers/assertions/VerifyUrlContains.ts  |   5 +
 test/helpers/behaviors/LoginOneFactor.ts      |   9 +-
 .../behaviors/RegisterAndLoginTwoFactor.ts    |   9 +-
 .../behaviors/VisitPageAndWaitUrlIs.ts        |   2 +-
 .../context/AutheliaServerWithHotReload.ts    |  61 ++++--
 test/helpers/context/AutheliaSuite.ts         |   5 -
 test/helpers/context/WithEnvironment.ts       |  22 ---
 test/helpers/context/kubernetes/Kubernetes.ts |  27 +++
 .../context/kubernetes/KubernetesManager.ts   |  20 ++
 .../scenarii/SingleFactorAuthentication.ts    |  39 ++++
 .../scenarii/TwoFactorAuthentication.ts       |  22 +++
 test/helpers/utils/WaitUntil.ts               |  28 +++
 test/helpers/utils/exec.ts                    |  29 ++-
 test/helpers/utils/execPromise.ts             |  16 ++
 test/suites/basic/config.yml                  |   2 +-
 test/suites/basic/environment.ts              |  14 +-
 test/suites/basic/scenarii/BadPassword.ts     |   2 +-
 .../LogoutRedirectToAlreadyLoggedIn.ts        |   2 +-
 .../basic/scenarii/RequiredTwoFactor.ts       |   2 +-
 test/suites/basic/scenarii/ResetPassword.ts   |  20 +-
 .../basic/scenarii/SimpleAuthentication.ts    |  37 ----
 test/suites/basic/scenarii/TOTPValidation.ts  |   4 +-
 test/suites/basic/test.ts                     |   4 +-
 test/suites/dockerhub/config.yml              |   2 +-
 test/suites/dockerhub/environment.ts          |  11 +-
 .../scenarii/SimpleAuthentication.ts          |  20 --
 test/suites/dockerhub/test.ts                 |   6 +-
 test/suites/high-availability/config.yml      |  20 +-
 test/suites/high-availability/environment.ts  |  11 +-
 .../scenarii/AccessControl.ts                 |  30 ++-
 .../scenarii/AuthenticationRegulation.ts      |   2 +-
 .../scenarii/BasicAuthentication.ts           |   2 +-
 .../scenarii/CustomHeadersForwarded.ts        |  12 +-
 .../EnforceInternalRedirectionsOnly.ts        |  29 ++-
 .../scenarii/SingleFactorAuthentication.ts    |  37 ----
 test/suites/high-availability/test.ts         |   5 +-
 test/suites/kubernetes/README.md              |  12 ++
 test/suites/kubernetes/environment.ts         | 134 +++++++++++++
 test/suites/kubernetes/test.ts                |  10 +
 test/suites/short-timeouts/config.yml         |   2 +-
 test/suites/short-timeouts/environment.ts     |  14 +-
 .../short-timeouts/scenarii/Inactivity.ts     |  61 +++---
 157 files changed, 1890 insertions(+), 1762 deletions(-)
 create mode 100644 bootstrap.sh
 delete mode 100644 client/src/behaviors/SafelyRedirectBehavior.ts
 create mode 100644 docs/build-and-dev.md
 delete mode 100644 docs/build.md
 create mode 100644 example/compose/nginx/backend/Dockerfile
 rename example/compose/nginx/backend/html/{single_factor => secure}/secret.html (100%)
 rename example/compose/nginx/{minimal/html/admin => backend/html/singlefactor}/secret.html (93%)
 delete mode 100644 example/compose/nginx/minimal/docker-compose.yml
 delete mode 100644 example/compose/nginx/minimal/html/home/index.html
 delete mode 100644 example/compose/nginx/minimal/nginx.conf
 delete mode 100644 example/compose/nginx/minimal/ssl/server.csr
 delete mode 100644 example/kube/apps/app-home/deployment.yml
 delete mode 100644 example/kube/apps/app-home/index.html
 delete mode 100644 example/kube/apps/app-home/service.yml
 delete mode 100644 example/kube/apps/app1/deployment.yml
 delete mode 100644 example/kube/apps/app1/index.html
 delete mode 100644 example/kube/apps/app1/service.yml
 delete mode 100644 example/kube/apps/app1/ssl/tls.crt
 delete mode 100644 example/kube/apps/app1/ssl/tls.csr
 delete mode 100644 example/kube/apps/app1/ssl/tls.key
 delete mode 100644 example/kube/apps/app2/deployment.yml
 delete mode 100644 example/kube/apps/app2/index.html
 delete mode 100644 example/kube/apps/app2/service.yml
 delete mode 100644 example/kube/apps/app2/ssl/tls.crt
 delete mode 100644 example/kube/apps/app2/ssl/tls.csr
 delete mode 100644 example/kube/apps/app2/ssl/tls.key
 create mode 100644 example/kube/apps/apps.yml
 delete mode 100644 example/kube/apps/insecure-ingress.yml
 delete mode 100644 example/kube/apps/secure-ingress.yml
 rename example/{compose/nginx/minimal/ssl/server.crt => kube/apps/ssl/tls.crt} (100%)
 rename example/{compose/nginx/minimal/ssl/server.key => kube/apps/ssl/tls.key} (100%)
 create mode 100755 example/kube/bootstrap-authelia.sh
 mode change 100644 => 100755 example/kube/bootstrap.sh
 delete mode 100644 example/kube/build_and_push.sh
 create mode 100644 example/kube/dashboard/dashboard.yaml
 delete mode 100644 example/kube/docker-registry/daemonset.yml
 delete mode 100644 example/kube/docker-registry/ingress.yml
 delete mode 100644 example/kube/docker-registry/replicationcontroller.yml
 delete mode 100644 example/kube/docker-registry/service.yml
 delete mode 100644 example/kube/ingress-controller/default-backend.yml
 create mode 100644 example/kube/ingress-controller/rbac.yml
 rename example/kube/{mailcatcher => mail}/deployment.yml (100%)
 rename example/kube/{mailcatcher => mail}/ingress.yml (76%)
 rename example/kube/{mailcatcher => mail}/service.yml (100%)
 create mode 100644 example/kube/test.yml
 create mode 100755 scripts/authelia-scripts-bootstrap
 delete mode 100644 server/src/lib/routes/redirect/post.ts
 create mode 100644 server/src/lib/utils/IsRedirectionSafe.ts
 delete mode 100644 server/src/lib/utils/SafeRedirection.spec.ts
 delete mode 100644 server/src/lib/utils/SafeRedirection.ts
 create mode 100644 test/helpers/assertions/VerifyBodyContains.ts
 create mode 100644 test/helpers/assertions/VerifyUrlContains.ts
 delete mode 100644 test/helpers/context/WithEnvironment.ts
 create mode 100644 test/helpers/context/kubernetes/Kubernetes.ts
 create mode 100644 test/helpers/context/kubernetes/KubernetesManager.ts
 create mode 100644 test/helpers/scenarii/SingleFactorAuthentication.ts
 create mode 100644 test/helpers/scenarii/TwoFactorAuthentication.ts
 create mode 100644 test/helpers/utils/WaitUntil.ts
 create mode 100644 test/helpers/utils/execPromise.ts
 delete mode 100644 test/suites/basic/scenarii/SimpleAuthentication.ts
 delete mode 100644 test/suites/dockerhub/scenarii/SimpleAuthentication.ts
 delete mode 100644 test/suites/high-availability/scenarii/SingleFactorAuthentication.ts
 create mode 100644 test/suites/kubernetes/README.md
 create mode 100644 test/suites/kubernetes/environment.ts
 create mode 100644 test/suites/kubernetes/test.ts

diff --git a/.gitignore b/.gitignore
index 166cceaa6..8dc02ff18 100644
--- a/.gitignore
+++ b/.gitignore
@@ -38,3 +38,4 @@ Configuration.schema.json
 users_database.test.yml
 
 .suite
+.kube
diff --git a/.travis.yml b/.travis.yml
index f71f06bce..debdccbe2 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -15,18 +15,16 @@ addons:
   hosts:
   - admin.example.com
   - login.example.com
-  - single_factor.example.com
+  - singlefactor.example.com
   - dev.example.com
   - home.example.com
   - mx1.mail.example.com
   - mx2.mail.example.com
   - public.example.com
+  - secure.example.com
   - authelia.example.com
   - admin.example.com
-
-before_install:
-- npm install -g npm@'>=2.13.5'
-- pushd client && npm install && popd
+  - mail.example.com
 
 before_script:
 - export DISPLAY=:99.0
diff --git a/README.md b/README.md
index 591075762..d98936e32 100644
--- a/README.md
+++ b/README.md
@@ -41,14 +41,18 @@ For more details about the features, follow [Features](./docs/features.md).
 
 ## Getting Started
 
-If you want to quickly test Authelia with Docker, we recommend you read
-[Getting Started](./docs/getting-started.md).
+You can start off with
+
+    source bootstrap.sh
+
+If you want to go further, please read [Getting Started](./docs/getting-started.md).
 
 ## Deployment
 
-Now that you have tested **Authelia** and you want to try it out in your own infrastructure, you can learn how to deploy and use it with
-[Deployment](./docs/deployment-production.md). This guide will show you how to deploy
-it on bare metal as well as on Kubernetes.
+Now that you have tested **Authelia** and you want to try it out in your own infrastructure,
+you can learn how to deploy and use it with [Deployment](./docs/deployment-production.md).
+This guide will show you how to deploy it on bare metal as well as on
+[Kubernetes](https://kubernetes.io/).
 
 ## Security
 
diff --git a/bootstrap.sh b/bootstrap.sh
new file mode 100644
index 000000000..4c92e6a51
--- /dev/null
+++ b/bootstrap.sh
@@ -0,0 +1,49 @@
+
+export PATH=$(pwd)/scripts:/tmp:$PATH
+
+export PS1="(authelia) $PS1"
+
+echo "[BOOTSTRAP] Installing npm packages..."
+npm i
+
+pushd client
+npm i
+popd
+
+echo "[BOOTSTRAP] Checking if Docker is installed..."
+if [ ! -x "$(command -v docker)" ];
+then
+  echo "[ERROR] You must install docker on your machine.";
+  return
+fi
+
+echo "[BOOTSTRAP] Checking if docker-compose is installed..."
+if [ ! -x "$(command -v docker-compose)" ];
+then
+  echo "[ERROR] You must install docker-compose on your machine.";
+  return;
+fi
+
+echo "[BOOTSTRAP] Checking if example.com domain is forwarded to your machine..."
+cat /etc/hosts | grep "login.example.com" > /dev/null
+if [ $? -ne 0 ];
+then
+  echo "[ERROR] Please add those lines to /etc/hosts:
+  
+127.0.0.1       home.example.com
+127.0.0.1       public.example.com
+127.0.0.1       secure.example.com
+127.0.0.1       dev.example.com
+127.0.0.1       admin.example.com
+127.0.0.1       mx1.mail.example.com
+127.0.0.1       mx2.mail.example.com
+127.0.0.1       singlefactor.example.com
+127.0.0.1       login.example.com"
+  return;
+fi
+
+echo "[BOOTSTRAP] Running additional bootstrap steps..."
+authelia-scripts bootstrap
+
+echo "[BOOTSTRAP] Run 'authelia-scripts suites start dockerhub' to start Authelia and visit https://home.example.com:8080."
+echo "[BOOTSTRAP] More details at https://github.com/clems4ever/authelia/blob/master/docs/getting-started.md"
diff --git a/client/src/App.tsx b/client/src/App.tsx
index f35684a48..fa17b1f67 100644
--- a/client/src/App.tsx
+++ b/client/src/App.tsx
@@ -3,14 +3,14 @@ import './App.scss';
 
 import { Route, Switch } from "react-router-dom";
 import { routes } from './routes/index';
-import { createBrowserHistory } from 'history';
+import { createHashHistory } from 'history';
 import { createStore, applyMiddleware, compose } from 'redux';
 import reducer from './reducers';
 import { Provider } from 'react-redux';
 import thunk from 'redux-thunk';
 import { routerMiddleware, ConnectedRouter } from 'connected-react-router';
 
-const history = createBrowserHistory();
+const history = createHashHistory();
 const store = createStore(
   reducer(history),
   compose(
diff --git a/client/src/behaviors/SafelyRedirectBehavior.ts b/client/src/behaviors/SafelyRedirectBehavior.ts
deleted file mode 100644
index 0d683456f..000000000
--- a/client/src/behaviors/SafelyRedirectBehavior.ts
+++ /dev/null
@@ -1,15 +0,0 @@
-import { Dispatch } from "redux";
-import * as AutheliaService from '../services/AutheliaService';
-
-export default async function(url: string) {
-  try {
-    // Check the url against the backend before redirecting.
-    await AutheliaService.checkRedirection(url);
-    window.location.href = url;
-  } catch (e) {
-    console.error(
-      'Cannot redirect since the URL is not in the protected domain.' +
-      'This behavior could be malicious so please the issue to an administrator.');
-    throw e;
-  }
-}
\ No newline at end of file
diff --git a/client/src/components/AlreadyAuthenticated/AlreadyAuthenticated.tsx b/client/src/components/AlreadyAuthenticated/AlreadyAuthenticated.tsx
index d73d636d0..6b1d549ac 100644
--- a/client/src/components/AlreadyAuthenticated/AlreadyAuthenticated.tsx
+++ b/client/src/components/AlreadyAuthenticated/AlreadyAuthenticated.tsx
@@ -7,7 +7,7 @@ import CircleLoader, { Status } from "../CircleLoader/CircleLoader";
 
 export interface OwnProps {
   username: string;
-  redirectionUrl: string;
+  redirectionUrl: string | null;
 }
 
 export interface DispatchProps {
@@ -27,7 +27,7 @@ class AlreadyAuthenticated extends Component<Props> {
           </div>
           <div className={styles.statusIcon}><CircleLoader status={Status.SUCCESSFUL} /></div>
         </div>
-        <a href={this.props.redirectionUrl}>{this.props.redirectionUrl}</a>
+        {(this.props.redirectionUrl) ? <a href={this.props.redirectionUrl}>{this.props.redirectionUrl}</a> : null}
         <div className={styles.logoutButtonContainer}>
           <Button
             onClick={this.props.onLogoutClicked}
diff --git a/client/src/components/FirstFactorForm/FirstFactorForm.tsx b/client/src/components/FirstFactorForm/FirstFactorForm.tsx
index 57a1d323e..1f000c336 100644
--- a/client/src/components/FirstFactorForm/FirstFactorForm.tsx
+++ b/client/src/components/FirstFactorForm/FirstFactorForm.tsx
@@ -20,7 +20,7 @@ export interface StateProps {
 }
 
 export interface DispatchProps {
-  onAuthenticationRequested(username: string, password: string, rememberMe: boolean): void;
+  onAuthenticationRequested(username: string, password: string, rememberMe: boolean): Promise<void>;
 }
 
 export type Props = OwnProps & StateProps & DispatchProps;
@@ -136,7 +136,11 @@ class FirstFactorForm extends Component<Props, State> {
     this.props.onAuthenticationRequested(
       this.state.username,
       this.state.password,
-      this.state.rememberMe);
+      this.state.rememberMe)
+      .catch((err: Error) => console.error(err))
+      .finally(() => {
+        this.setState({username: '', password: ''});
+      })
   }
 }
 
diff --git a/client/src/containers/components/FirstFactorForm/FirstFactorForm.ts b/client/src/containers/components/FirstFactorForm/FirstFactorForm.ts
index e47ad6176..97a3eafda 100644
--- a/client/src/containers/components/FirstFactorForm/FirstFactorForm.ts
+++ b/client/src/containers/components/FirstFactorForm/FirstFactorForm.ts
@@ -6,7 +6,6 @@ import { RootState } from '../../../reducers';
 import * as AutheliaService from '../../../services/AutheliaService';
 import to from 'await-to-js';
 import FetchStateBehavior from '../../../behaviors/FetchStateBehavior';
-import SafelyRedirectBehavior from '../../../behaviors/SafelyRedirectBehavior';
 
 const mapStateToProps = (state: RootState): StateProps => {
   return {
@@ -16,7 +15,7 @@ const mapStateToProps = (state: RootState): StateProps => {
 }
 
 function onAuthenticationRequested(dispatch: Dispatch, redirectionUrl: string | null) {
-  return async (username: string, password: string, rememberMe: boolean) => {
+  return async (username: string, password: string, rememberMe: boolean): Promise<void> => {
     let err, res;
     
     // Validate first factor
@@ -26,32 +25,37 @@ function onAuthenticationRequested(dispatch: Dispatch, redirectionUrl: string |
 
     if (err) {
       await dispatch(authenticateFailure(err.message));
-      return;
+      throw new Error(err.message);
     }
 
     if (!res) {
       await dispatch(authenticateFailure('No response'));
-      return;
+      throw new Error('No response');
     }
 
     if (res.status === 200) {
       const json = await res.json();
       if ('error' in json) {
         await dispatch(authenticateFailure(json['error']));
-        return;
+        throw new Error(json['error']);
       }
 
+      dispatch(authenticateSuccess());
       if ('redirect' in json) {
         window.location.href = json['redirect'];
         return;
       }
+
+      // fetch state to move to next stage in case redirect is not possible
+      await FetchStateBehavior(dispatch);
     } else if (res.status === 204) {
       dispatch(authenticateSuccess());
 
       // fetch state to move to next stage
-      FetchStateBehavior(dispatch);
+      await FetchStateBehavior(dispatch);
     } else {
       dispatch(authenticateFailure('Unknown error'));
+      throw new Error('Unknown error... (' + res.status + ')');
     }
   }
 }
diff --git a/client/src/containers/components/SecondFactorForm/SecondFactorForm.ts b/client/src/containers/components/SecondFactorForm/SecondFactorForm.ts
index 804abdc9e..0040a513f 100644
--- a/client/src/containers/components/SecondFactorForm/SecondFactorForm.ts
+++ b/client/src/containers/components/SecondFactorForm/SecondFactorForm.ts
@@ -3,13 +3,20 @@ import { RootState } from '../../../reducers';
 import { Dispatch } from 'redux';
 import u2fApi from 'u2f-api';
 import to from 'await-to-js';
-import { securityKeySignSuccess, securityKeySign, securityKeySignFailure, setSecurityKeySupported, oneTimePasswordVerification, oneTimePasswordVerificationFailure, oneTimePasswordVerificationSuccess } from '../../../reducers/Portal/SecondFactor/actions';
+import {
+  securityKeySignSuccess,
+  securityKeySign,
+  securityKeySignFailure,
+  setSecurityKeySupported,
+  oneTimePasswordVerification,
+  oneTimePasswordVerificationFailure,
+  oneTimePasswordVerificationSuccess
+} from '../../../reducers/Portal/SecondFactor/actions';
 import SecondFactorForm, { OwnProps, StateProps } from '../../../components/SecondFactorForm/SecondFactorForm';
 import * as AutheliaService from '../../../services/AutheliaService';
 import { push } from 'connected-react-router';
 import fetchState from '../../../behaviors/FetchStateBehavior';
 import LogoutBehavior from '../../../behaviors/LogoutBehavior';
-import SafelyRedirectBehavior from '../../../behaviors/SafelyRedirectBehavior';
 
 const mapStateToProps = (state: RootState): StateProps => ({
   securityKeySupported: state.secondFactor.securityKeySupported,
@@ -20,7 +27,7 @@ const mapStateToProps = (state: RootState): StateProps => ({
   oneTimePasswordVerificationError: state.secondFactor.oneTimePasswordVerificationError,
 });
 
-async function triggerSecurityKeySigning(dispatch: Dispatch) {
+async function triggerSecurityKeySigning(dispatch: Dispatch, redirectionUrl: string | null) {
   let err, result;
   dispatch(securityKeySign());
   [err, result] = await to(AutheliaService.requestSigning());
@@ -45,25 +52,39 @@ async function triggerSecurityKeySigning(dispatch: Dispatch) {
     throw 'No response';
   }
 
-  [err, result] = await to(AutheliaService.completeSecurityKeySigning(result));
+  [err, result] = await to(AutheliaService.completeSecurityKeySigning(result, redirectionUrl));
   if (err) {
     await dispatch(securityKeySignFailure(err.message));
     throw err;
   }
-  await dispatch(securityKeySignSuccess());
+  
+  try {
+    await redirectIfPossible(dispatch, result as Response);
+    dispatch(securityKeySignSuccess());
+    await handleSuccess(dispatch, 1000);
+  } catch (err) {
+    dispatch(securityKeySignFailure(err.message));
+  }
 }
 
-async function handleSuccess(dispatch: Dispatch, ownProps: OwnProps, duration?: number) {
+async function redirectIfPossible(dispatch: Dispatch, res: Response) {
+  if (res.status === 204) return;
+
+  const body = await res.json();
+  if ('error' in body) {
+    throw new Error(body['error']);
+  }
+
+  if ('redirect' in body) {
+    window.location.href = body['redirect'];
+    return;
+  }
+  return;
+}
+
+async function handleSuccess(dispatch: Dispatch, duration?: number) {
   async function handle() {
-    if (ownProps.redirectionUrl) {
-      try {
-        await SafelyRedirectBehavior(ownProps.redirectionUrl);
-      } catch (e) {
-        await fetchState(dispatch);
-      }
-    } else {
-      await fetchState(dispatch);
-    }
+    await fetchState(dispatch);
   }
 
   if (duration) {
@@ -88,14 +109,13 @@ const mapDispatchToProps = (dispatch: Dispatch, ownProps: OwnProps) => {
       const isU2FSupported = await u2fApi.isSupported();
       if (isU2FSupported) {
         await dispatch(setSecurityKeySupported(true));
-        await triggerSecurityKeySigning(dispatch);
-        await handleSuccess(dispatch, ownProps, 1000);
+        await triggerSecurityKeySigning(dispatch, ownProps.redirectionUrl);
       }
     },
     onOneTimePasswordValidationRequested: async (token: string) => {
       let err, res;
       dispatch(oneTimePasswordVerification());
-      [err, res] = await to(AutheliaService.verifyTotpToken(token));
+      [err, res] = await to(AutheliaService.verifyTotpToken(token, ownProps.redirectionUrl));
       if (err) {
         dispatch(oneTimePasswordVerificationFailure(err.message));
         throw err;
@@ -105,13 +125,13 @@ const mapDispatchToProps = (dispatch: Dispatch, ownProps: OwnProps) => {
         throw 'No response';
       }
 
-      const body = await res.json();
-      if ('error' in body) {
-        dispatch(oneTimePasswordVerificationFailure(body['error']));
-        throw body['error'];
+      try {
+        await redirectIfPossible(dispatch, res);
+        dispatch(oneTimePasswordVerificationSuccess());
+        await handleSuccess(dispatch);
+      } catch (err) {
+        dispatch(oneTimePasswordVerificationFailure(err.message));
       }
-      dispatch(oneTimePasswordVerificationSuccess());
-      await handleSuccess(dispatch, ownProps);
     },
   }
 }
diff --git a/client/src/services/AutheliaService.ts b/client/src/services/AutheliaService.ts
index ed77fdff2..860d56d1b 100644
--- a/client/src/services/AutheliaService.ts
+++ b/client/src/services/AutheliaService.ts
@@ -75,24 +75,36 @@ export async function requestSigning() {
     });
 }
 
-export async function completeSecurityKeySigning(response: u2fApi.SignResponse) {
+export async function completeSecurityKeySigning(
+  response: u2fApi.SignResponse, redirectionUrl: string | null) {
+
+  const headers: Record<string, string> = {
+    'Accept': 'application/json',
+    'Content-Type': 'application/json',
+  }
+  if (redirectionUrl) {
+    headers['X-Target-Url'] = redirectionUrl;
+  }
   return fetchSafe('/api/u2f/sign', {
     method: 'POST',
-    headers: {
-      'Accept': 'application/json',
-      'Content-Type': 'application/json',
-    },
+    headers: headers,
     body: JSON.stringify(response),
   });
 }
 
-export async function verifyTotpToken(token: string) {
+export async function verifyTotpToken(
+  token: string, redirectionUrl: string | null) {
+  
+    const headers: Record<string, string> = {
+    'Accept': 'application/json',
+    'Content-Type': 'application/json',
+  }
+  if (redirectionUrl) {
+    headers['X-Target-Url'] = redirectionUrl;
+  }
   return fetchSafe('/api/totp', {
     method: 'POST',
-    headers: {
-      'Accept': 'application/json',
-      'Content-Type': 'application/json',
-    },
+    headers: headers,
     body: JSON.stringify({token}),
   })
 }
@@ -123,24 +135,4 @@ export async function resetPassword(newPassword: string) {
     },
     body: JSON.stringify({password: newPassword})
   });
-}
-
-export async function checkRedirection(url: string) {
-  const res = await fetch('/api/redirect', {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-    },
-    body: JSON.stringify({url})
-  })
-
-  if (res.status !== 200) {
-    throw new Error('Status code ' + res.status);
-  }
-
-  const text = await res.text();
-  if (text !== 'OK') {
-    throw new Error('Cannot redirect');
-  }
-  return;
 }
\ No newline at end of file
diff --git a/client/src/views/AuthenticationView/AuthenticationView.tsx b/client/src/views/AuthenticationView/AuthenticationView.tsx
index c6bba5d85..dc9bd0ea3 100644
--- a/client/src/views/AuthenticationView/AuthenticationView.tsx
+++ b/client/src/views/AuthenticationView/AuthenticationView.tsx
@@ -40,7 +40,7 @@ class AuthenticationView extends Component<Props> {
     } else if (this.props.stage === Stage.ALREADY_AUTHENTICATED) {
       return <AlreadyAuthenticated
         username={this.props.remoteState.username}
-        redirectionUrl={this.props.remoteState.default_redirection_url} />;
+        redirectionUrl={this.props.redirectionUrl} />;
     }
     return <FirstFactorForm redirectionUrl={this.props.redirectionUrl} />;
   }
diff --git a/config.template.yml b/config.template.yml
index 6ffca5165..a29682b88 100644
--- a/config.template.yml
+++ b/config.template.yml
@@ -130,8 +130,10 @@ access_control:
   rules:
     # Rules applied to everyone
     - domain: public.example.com
+      policy: bypass
+    - domain: secure.example.com
       policy: two_factor
-    - domain: single_factor.example.com
+    - domain: singlefactor.example.com
       policy: one_factor
 
     # Rules applied to 'admin' group
diff --git a/docs/authelia-scripts.md b/docs/authelia-scripts.md
index 460ccb54d..211ae367a 100644
--- a/docs/authelia-scripts.md
+++ b/docs/authelia-scripts.md
@@ -4,17 +4,20 @@ Authelia comes with a set of dedicated scripts doing a broad range of operations
 building the distributed version of Authelia, building the Docker image, running suites,
 testing the code, etc...
 
-You can access the scripts usage by running the following command:
+Those scripts becomes available after sourcing the bootstrap.sh script with
 
-    npm run scripts
+    source bootstrap.sh
+
+Then, you can access the scripts usage by running the following command:
+
+    authelia-scripts --help
 
 For instance, you can build Authelia with:
 
-    npm run scripts build
+    authelia-scripts build
 
 Or start the *basic* suite with:
 
-    npm run scripts suites start basic
-
+    authelia-scripts suites start basic
 
 You will find more information in the scripts usage helpers.
\ No newline at end of file
diff --git a/docs/build-and-dev.md b/docs/build-and-dev.md
new file mode 100644
index 000000000..5d0668feb
--- /dev/null
+++ b/docs/build-and-dev.md
@@ -0,0 +1,54 @@
+# Build and dev
+
+**Authelia** is written in Typescript and built with [Authelia scripts](./docs/authelia-scripts.md).
+
+In order to build and contribute to **Authelia**, you need to make sure Node with version >= 8 and < 10
+and NPM is installed on your machine.
+
+## Build
+
+**Authelia** is made of two parts: the frontend and the backend.
+
+The frontend is a [React](https://reactjs.org/) application written in Typescript and
+the backend is an express application also written in Typescript.
+
+
+The following command builds **Authelia** under dist/:
+
+    authelia-scripts build
+
+And then you can also build the Docker image with:
+
+    authelia-scripts docker build
+
+## Development
+
+In order to ease development, Authelia uses the concept of [suites]. This is
+a kind of virutal environment for **Authelia**, it allows you to run **Authelia** in a complete
+environment, develop and test your patches. A hot-reload feature has been implemented so that
+you can test your changes in realtime.
+
+The next command will start the suite called [basic](./test/suites/basic/README.md): 
+
+    authelia-scripts suites start basic
+
+Then, edit the code and observe how **Authelia** is automatically updated.
+
+### Unit tests
+
+To run the unit tests written in Mocha, run:
+
+    authelia-scripts unittest
+
+### Integration tests
+
+Integration tests also run with Mocha and are based on Selenium. They generally
+require a complete environment made of several components like redis, mongo and a LDAP
+to run. That's why [suites] have been created. At this point, the *basic* suite should
+already be running and you can run the tests related to this suite with the following
+command:
+
+    authelia-scripts suites test
+
+
+[suites]: ./suites.md
\ No newline at end of file
diff --git a/docs/build.md b/docs/build.md
deleted file mode 100644
index 23dbaa81c..000000000
--- a/docs/build.md
+++ /dev/null
@@ -1,53 +0,0 @@
-# Build
-
-**Authelia** is written in Typescript and built with [Authelia scripts](docs/authelia-scripts.md).
-
-In order to build **Authelia**, you need to make sure Node with version >= 8 and < 10 and NPM is
-installed on your machine.
-
-Then, run the following command to install the node modules:
-
-    npm install
-
-And, this command to build **Authelia** under dist/:
-
-    npm run build
-
-Then you can also build the Docker image with:
-
-    npm run docker build
-
-## Details
-
-### Build
-
-**Authelia** is made of two parts: the frontend and the backend.
-
-The frontend is a [React](https://reactjs.org/) application written in Typescript and
-the backend is an express application also written in Typescript.
-
-### Tests
-
-There are two kind of tests: unit tests and integration tests.
-
-### Unit tests
-
-To run the unit tests, run:
-
-    npm run unittest
-
-### Integration tests
-
-Integration tests run with Mocha and are based on Selenium. They generally
-require a complete environment made of several components like redis, mongo and a LDAP
-to run.
-
-In order to simplify the creation of such environments, Authelia comes with a concept of
-[Suites] that basically act as virtual environments for running either
-manual or integration tests.
-
-Please read the documentation related to [Suites] in order to discover
-how to run related tests.
-
-
-[Suites]: ./suites.md
\ No newline at end of file
diff --git a/docs/deployment-production.md b/docs/deployment-production.md
index 94c2cded7..d7d251f89 100644
--- a/docs/deployment-production.md
+++ b/docs/deployment-production.md
@@ -29,14 +29,13 @@ the root of the repo.
 
 ### Deploy With Docker
 
-    docker pull clems4ever/authelia
     docker run -v /path/to/your/config.yml:/etc/authelia/config.yml clems4ever/authelia
 
 ## On top of Kubernetes
 
 <img src="/images/kube-logo.png" width="24" align="left">
 
-**Authelia** can also be used on top of [Kubernetes] using
+**Authelia** can also be installed on top of [Kubernetes] using
 [nginx ingress controller](https://github.com/kubernetes/ingress-nginx).
 
 Please refer to the following [documentation](../example/kube/README.md)
diff --git a/docs/getting-started.md b/docs/getting-started.md
index 5a3ea375b..eb8d4afb5 100644
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -3,61 +3,17 @@
 **Authelia** can be tested in a matter of seconds with docker-compose based
 on the latest image available on [Dockerhub].
 
-## Pre-requisites
+In order to deploy the latest release locally, run the following command and
+follow the instructions of bootstrap.sh:
 
-In order to test **Authelia**, we need to make sure that:
-- **Docker** and **docker-compose** are installed on your computer.
-- Ports 8080 and 8085 are not already used on your machine.
-- Some subdomains of **example.com** redirect to your test infrastructure.
+    source bootstrap.sh
 
-### Docker & docker-compose
+Then, start the *dockerhub* [suite].
 
-Make sure you have **docker** and **docker-compose** installed on your
-machine.
-Here are the versions used for testing in Travis:
+    authelia-scripts suites start dockerhub
 
-    $ docker --version
-    Docker version 17.03.1-ce, build c6d412e
-
-    $ docker-compose --version
-    docker-compose version 1.14.0, build c7bdf9e
-
-### Available port
-
-Make sure you don't have anything listening on port 8080 and 8085.
-
-The port 8080 will be our frontend load balancer serving both **Authelia**'s portal and the
-applications we want to protect.
-
-The port 8085 is serving a webmail used to receive emails sent by **Authelia**
-to validate your identity when registering U2F or TOTP secrets or when
-resetting your password.
-
-### Subdomain aliases
-
-In order to simulate the behavior of a DNS resolving some test subdomains of **example.com**
-to your machine, we need to add the following lines to your **/etc/hosts**. It will alias the
-subdomains so that nginx can redirect requests to the correct virtual host.
-
-    127.0.0.1       home.example.com
-    127.0.0.1       public.example.com
-    127.0.0.1       dev.example.com
-    127.0.0.1       admin.example.com
-    127.0.0.1       mx1.mail.example.com
-    127.0.0.1       mx2.mail.example.com
-    127.0.0.1       single_factor.example.com
-    127.0.0.1       login.example.com
-
-## Deploy
-
-To deploy **Authelia** using the latest image from [Dockerhub], run the
-following command:
-
-    npm install commander
-    npm run scripts suites start dockerhub
-
-A Suites is a virtual environment for running Authelia. If you want more details please
-read the related [documentation](./suites.md).
+A [suite] is kind of a virtual environment for running Authelia.
+If you want more details please read the related [documentation](./suites.md).
 
 ## Test it!
 
@@ -77,25 +33,52 @@ Below is what the login page looks like after you accepted all exceptions:
 </p>
 
 You can use one of the users listed in [https://home.example.com:8080/](https://home.example.com:8080/).
-The rights granted to each user and group is also provided there.
+The rights granted to each user and group is also provided in the page as
+a list of rules.
 
-At some point, you'll be required to register your second factor, either
-U2F or TOTP. Since your security is **Authelia**'s priority, it will send 
+At some point, you'll be required to register your second factor device.
+Since your security is **Authelia**'s priority, it will send 
 an email to the email address of the user to confirm the user identity.
 Since we're running a test environment, we provide a fake webmail called
 *MailCatcher* from which you can checkout the email and confirm
 your identity.
 The webmail is accessible from
-[http://localhost:8085](http://localhost:8085).
-
-**Note:** If you cannot deploy the fake webmail for any reason. You can
-configure **Authelia** to use the filesystem notifier (option available
-in [config.template.yml]) that will send the content of the email in a
-file instead of sending an email. It is advised to not use this option
-in production.
+[http://mail.example.com:8080](http://mail.example.com:8085).
 
 Enjoy!
 
+## FAQ
+
+### What version of Docker and docker-compose should I use?
+
+Here are the versions used for testing in Travis:
+
+    $ docker --version
+    Docker version 17.03.1-ce, build c6d412e
+
+    $ docker-compose --version
+    docker-compose version 1.14.0, build c7bdf9e
+
+### How am I supposed to access the subdomains of example.com?
+
+Well, in order to test Authelia, we will fake your browser that example.com is
+served by your machine. To do that, open */etc/hosts* and append the following
+lines:
+
+    127.0.0.1       home.example.com
+    127.0.0.1       public.example.com
+    127.0.0.1       secure.example.com
+    127.0.0.1       dev.example.com
+    127.0.0.1       admin.example.com
+    127.0.0.1       mx1.mail.example.com
+    127.0.0.1       mx2.mail.example.com
+    127.0.0.1       singlefactor.example.com
+    127.0.0.1       login.example.com
+
+### What should I do if I want to contribute?
+
+You can refer to the dedicated documentation [here](./build-and-dev.md).
+
 [config.template.yml]: ../config.template.yml
 [DockerHub]: https://hub.docker.com/r/clems4ever/authelia/
-[Build]: ./build.md
+[suite]: ./suites.md
\ No newline at end of file
diff --git a/docs/suites.md b/docs/suites.md
index 03a528213..fa1cda372 100644
--- a/docs/suites.md
+++ b/docs/suites.md
@@ -1,18 +1,18 @@
 # Suites
 
 Authelia is a single component in interaction with many others. Consequently, testing the features
-is not as easy as we might think. Consequently, a suite is kind of a virtual environment for Authelia, 
-it allows to create an environment made of components such as nginx, redis or mongo in which Authelia can
-run and be tested.
+is not as easy as we might think. In order to solve this problem, Authelia came up with the concept of
+suite which is a kind of virtual environment for Authelia, it allows to create an environment made of
+components such as nginx, redis or mongo in which Authelia can run and be tested.
 
 This abstraction allows to prepare an environment for manual testing during development and also to
 craft and run integration tests.
 
 ## Start a suite.
 
-Starting a suite called *simple* is done with the following command:
+Starting a suite called *basic* is done with the following command:
 
-    npm run scripts suites start simple
+    authelia-scripts suites start basic
 
 It will start the suite and block until you hit ctrl-c to stop the suite.
 
@@ -20,9 +20,9 @@ It will start the suite and block until you hit ctrl-c to stop the suite.
 
 ### Run tests of running suite
 
-If you are already running a suite with the previous command, you can simply type:
+If a suite is already running, you can simply type:
 
-    npm run scripts test
+    authelia-scripts suites test
 
 and this will run the tests related to the running suite.
 
@@ -31,18 +31,26 @@ and this will run the tests related to the running suite.
 However, if no suite is running and you still want to test a particular suite like *complete*.
 You can do so with the next command:
 
-    npm run scripts test complete
+    authelia-scripts suites test complete
 
 This command will run the tests for the *complete* suite using the built version of Authelia that
 should be located in *dist*.
 
-WARNING: Authelia must be built before running this command.
+WARNING: Authelia must be built with `authelia-scripts build` and possibly
+`authelia-scripts docker build` before running this command.
 
 ### Run all tests of all suites
 
-Running all tests is as easy as making sure that there is no running suite and typing:
+Running all tests is easy. Make sure that no suite is already running and run:
 
-    npm run scripts test
+    authelia-scripts suites test
+
+### Run tests in headless mode
+
+In order to run the tests without seeing the windows creating and vanishing, one
+can run the tests in headless mode with:
+
+    authelia-scripts suites test --headless
 
 
 ## Create a suite
@@ -51,5 +59,5 @@ Creating a suite is as easy as creating a new directory with at least two files:
 
 * **environment.ts** - It defines the setup and teardown phases when creating the environment. The *setup*
 phase is the phase when the required components will be spawned and Authelia will start while the *teardown*
-is executed when the suite is destroyed (ctrl-c hit by the user).
-* **test.ts** - It defines a set of tests to run in the virtual environment of the suite.
\ No newline at end of file
+is executed when the suite is destroyed (ctrl-c hit by the user) or the tests are finished.
+* **test.ts** - It defines a set of tests to run against the suite.
\ No newline at end of file
diff --git a/example/compose/nginx/backend/Dockerfile b/example/compose/nginx/backend/Dockerfile
new file mode 100644
index 000000000..04c97bf36
--- /dev/null
+++ b/example/compose/nginx/backend/Dockerfile
@@ -0,0 +1,4 @@
+FROM nginx:alpine
+
+ADD ./html /usr/share/nginx/html
+ADD ./nginx.conf /etc/nginx/nginx.conf
\ No newline at end of file
diff --git a/example/compose/nginx/backend/docker-compose.yml b/example/compose/nginx/backend/docker-compose.yml
index cd78b72b0..a34bc38e8 100644
--- a/example/compose/nginx/backend/docker-compose.yml
+++ b/example/compose/nginx/backend/docker-compose.yml
@@ -1,9 +1,6 @@
 version: '2'
 services:
   nginx-backend:
-    image: nginx:alpine
-    volumes:
-      - ./example/compose/nginx/backend/html:/usr/share/nginx/html
-      - ./example/compose/nginx/backend/nginx.conf:/etc/nginx/nginx.conf
+    image: authelia-example-backend
     networks:
       - authelianet
diff --git a/example/compose/nginx/backend/html/home/index.html b/example/compose/nginx/backend/html/home/index.html
index 5dd4295af..58b86b9f2 100644
--- a/example/compose/nginx/backend/html/home/index.html
+++ b/example/compose/nginx/backend/html/home/index.html
@@ -15,7 +15,13 @@
       public.example.com <a href="https://public.example.com:8080/"> / index.html</a>
     </li>
     <li>
-      secret.example.com
+      secure.example.com <a href="https://secure.example.com:8080/"> / secret.html</a>
+    </li>
+    <li>
+      singlefactor.example.com <a href="https://singlefactor.example.com:8080/secret.html"> / secret.html</a>
+    </li>
+    <li>
+      dev.example.com
       <ul>
         <li>Groups
           <ul>
@@ -51,12 +57,9 @@
     <li>
       mx2.main.example.com <a href="https://mx2.mail.example.com:8080/secret.html"> / secret.html</a>
     </li>
-    <li>
-      single_factor.example.com <a href="https://single_factor.example.com:8080/secret.html"> / secret.html</a>
-    </li>
   </ul>
 
-  You can also log off by visiting the following <a href="https://login.example.com:8080/logout?rd=https://home.example.com:8080/">link</a>.
+  You can also log off by visiting the following <a href="https://login.example.com:8080/#/logout?rd=https://home.example.com:8080/">link</a>.
 
   <h1>List of users</h1>
   Here is the list of credentials you can log in with to test access control.<br/>
@@ -74,61 +77,57 @@
   <p></p>These rules are extracted from the configuration file
   <a href="https://github.com/clems4ever/authelia/blob/master/config.template.yml">config.template.yml</a>.</p>
   <pre id="rules" style="border: 1px grey solid; padding: 20px; display: inline-block;">
-# Default policy can either be `allow` or `deny`.
-# It is the policy applied to any resource if it has not been overriden
-# in the `any`, `groups` or `users` category.
-
-default_policy: deny
-
-# The rules that apply to anyone.
-# The value is a list of rules.
-
-any:
-  - domain: public.example.com
-    policy: allow
-
-# Group-based rules. The key is a group name and the value
-# is a list of rules.
-
-groups:
-  admin:
-    # All resources in all domains
-    - domain: '*.example.com'
-      policy: allow
-    # Except mx2.mail.example.com (it restricts the first rule)
-    - domain: 'mx2.mail.example.com'
-      policy: deny
-  dev:
-    - domain: dev.example.com
-      policy: allow
-      resources:
-        - '^/groups/dev/.*$'
-
-# User-based rules. The key is a user name and the value
-# is a list of rules.
-
-users:
-  john:
-    - domain: dev.example.com
-      policy: allow
-      resources:
-        - '^/users/john/.*$' 
-  harry:
-    - domain: dev.example.com
-      policy: allow
-      resources:
-        - '^/users/harry/.*$'
-  bob:
-    - domain: '*.mail.example.com'
-      policy: allow
-    - domain: 'dev.example.com'
-      policy: allow
-      resources:
-        - '^/users/bob/.*$'
-    - domain: 'dev.example.com'
-      policy: allow
-      resources:
-        - '^/users/harry/.*$'</pre>
+    default_policy: deny
+  
+    rules:
+      # Rules applied to everyone
+      - domain: public.example.com
+        policy: bypass
+      - domain: secure.example.com
+        policy: two_factor
+      - domain: singlefactor.example.com
+        policy: one_factor
+  
+      # Rules applied to 'admin' group
+      - domain: 'mx2.mail.example.com'
+        subject: 'group:admin'
+        policy: deny
+      - domain: '*.example.com'
+        subject: 'group:admin'
+        policy: two_factor
+  
+      # Rules applied to 'dev' group
+      - domain: dev.example.com
+        resources:
+          - '^/groups/dev/.*$'
+        subject: 'group:dev'
+        policy: two_factor
+  
+      # Rules applied to user 'john'
+      - domain: dev.example.com
+        resources:
+          - '^/users/john/.*$'
+        subject: 'user:john'
+        policy: two_factor
+  
+  
+      # Rules applied to user 'harry'
+      - domain: dev.example.com
+        resources:
+          - '^/users/harry/.*$'
+        subject: 'user:harry'
+        policy: two_factor
+  
+      # Rules applied to user 'bob'
+      - domain: '*.mail.example.com'
+        subject: 'user:bob'
+        policy: two_factor
+      - domain: 'dev.example.com'
+        resources:
+          - '^/users/bob/.*$'
+        subject: 'user:bob'
+        policy: two_factor
+  </pre>
 </body>
 
 </html>
diff --git a/example/compose/nginx/backend/html/single_factor/secret.html b/example/compose/nginx/backend/html/secure/secret.html
similarity index 100%
rename from example/compose/nginx/backend/html/single_factor/secret.html
rename to example/compose/nginx/backend/html/secure/secret.html
diff --git a/example/compose/nginx/minimal/html/admin/secret.html b/example/compose/nginx/backend/html/singlefactor/secret.html
similarity index 93%
rename from example/compose/nginx/minimal/html/admin/secret.html
rename to example/compose/nginx/backend/html/singlefactor/secret.html
index 7489acf5c..b44f4b6cc 100644
--- a/example/compose/nginx/minimal/html/admin/secret.html
+++ b/example/compose/nginx/backend/html/singlefactor/secret.html
@@ -4,7 +4,6 @@
     <link rel="icon" href="/icon.png" type="image/png" />
   </head>
   <body>
-  <h1>Secret</h1>
   This is a very important secret!<br/>
   Go back to <a href="https://home.example.com:8080/">home page</a>.
   </body>
diff --git a/example/compose/nginx/backend/nginx.conf b/example/compose/nginx/backend/nginx.conf
index 55afb666c..37d20fdae 100644
--- a/example/compose/nginx/backend/nginx.conf
+++ b/example/compose/nginx/backend/nginx.conf
@@ -18,6 +18,12 @@ http {
         server_name     public.example.com;
     }
 
+    server {
+        listen 80;
+        root /usr/share/nginx/html/secure;
+        server_name     secure.example.com;
+    }
+
     server {
         listen 80;
         root /usr/share/nginx/html/admin;
@@ -38,8 +44,8 @@ http {
 
     server {
         listen 80;
-        root /usr/share/nginx/html/single_factor;
-        server_name     single_factor.example.com;
+        root /usr/share/nginx/html/singlefactor;
+        server_name     singlefactor.example.com;
     }
 }
 
diff --git a/example/compose/nginx/minimal/docker-compose.yml b/example/compose/nginx/minimal/docker-compose.yml
deleted file mode 100644
index a79ab6900..000000000
--- a/example/compose/nginx/minimal/docker-compose.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-version: '2'
-services:
-  nginx-portal:
-    image: nginx:alpine
-    volumes:
-      - ./example/compose/nginx/minimal/nginx.conf:/etc/nginx/nginx.conf
-      - ./example/compose/nginx/minimal/html:/usr/share/nginx/html
-      - ./example/compose/nginx/minimal/ssl:/etc/ssl
-    ports:
-      - "8080:443"
-    networks:
-      - authelianet
diff --git a/example/compose/nginx/minimal/html/home/index.html b/example/compose/nginx/minimal/html/home/index.html
deleted file mode 100644
index 98c7856eb..000000000
--- a/example/compose/nginx/minimal/html/home/index.html
+++ /dev/null
@@ -1,32 +0,0 @@
-<!DOCTYPE>
-<html>
-  <head>
-    <title>Home page</title>
-    <link rel="icon" href="/icon.png" type="image/png" />
-  </head>
-  
-  <body>
-    <h1>Access the secret</h1>
-    <span style="font-size: 1.2em; color: red">You need to log in to access the secret!</span><br/><br/> Try to access it using
-    the following links to test Authelia.<br/>
-    <ul>
-      <li>
-        admin.example.com <a href="https://admin.example.com:8080/secret.html"> / secret.html</a>
-      </li>
-    </ul>
-  
-    You can also log off by visiting the following <a href="https://login.example.com:8080/logout?rd=https://home.example.com:8080/">link</a>.
-  
-    <h1>List of users</h1>
-    Here is the list of credentials you can log in with.<br/>
-    <br/> Once first factor is passed, you will need to follow the links to register a secret for the second factor.<br/> Authelia
-    will send you a fictituous email stored in a <strong>local file</strong> called <strong>/tmp/authelia/notification.txt</strong>.<br/> 
-    It will provide you with the link to complete the registration allowing you to authenticate with 2-factor.
-  
-    <ul>
-      <li><strong>john / password</strong>: belongs to <em>admin</em> and <em>dev</em> groups.</li>
-      <li><strong>bob / password</strong>: belongs to <em>dev</em> group only.</li>
-      <li><strong>harry / password</strong>: does not belong to any group.</li>
-    </ul>
-  </body>
-</html>
diff --git a/example/compose/nginx/minimal/nginx.conf b/example/compose/nginx/minimal/nginx.conf
deleted file mode 100644
index 712305768..000000000
--- a/example/compose/nginx/minimal/nginx.conf
+++ /dev/null
@@ -1,96 +0,0 @@
-worker_processes  1;
-
-events {
-    worker_connections  1024;
-}
-
-http {
-    server {
-        listen 443 ssl;
-        server_name     login.example.com;
-
-        resolver 127.0.0.11 ipv6=off;
-        set $upstream_endpoint http://authelia:8080;
-
-        ssl_certificate     /etc/ssl/server.crt;
-        ssl_certificate_key /etc/ssl/server.key;
-
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-        add_header X-Frame-Options "SAMEORIGIN";
-
-        location / {
-            proxy_set_header  Host $http_host;
-            proxy_set_header  X-Original-URI $request_uri;
-            proxy_set_header  X-Real-IP $remote_addr;
-            proxy_set_header  X-Forwarded-Proto $scheme;
-            proxy_intercept_errors on;
-
-            proxy_pass        $upstream_endpoint;
-
-            if ($request_method !~ ^(POST)$){
-              error_page 401 = /error/401;
-              error_page 403 = /error/403;
-              error_page 404 = /error/404;
-            }
-        }
-    }
-
-    server {
-        listen 443 ssl;
-        server_name     home.example.com;
-
-        resolver 127.0.0.11 ipv6=off;
-        set $upstream_endpoint http://nginx-backend;
-
-        root /usr/share/nginx/html/home;
-
-        ssl_certificate     /etc/ssl/server.crt;
-        ssl_certificate_key /etc/ssl/server.key;
-
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-        add_header X-Frame-Options "SAMEORIGIN";
-    }
-
-    server {
-        listen 443 ssl; 
-        server_name     admin.example.com;
-
-        root /usr/share/nginx/html/admin;
-
-        resolver 127.0.0.11 ipv6=off;
-        set $upstream_verify http://authelia:8080/api/verify;
-
-        ssl_certificate     /etc/ssl/server.crt;
-        ssl_certificate_key /etc/ssl/server.key;
-
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-        add_header X-Frame-Options "SAMEORIGIN";
-
-        location /auth_verify {
-            internal;
-            proxy_set_header            Host $http_host;
-
-            proxy_set_header            X-Original-URI $request_uri;
-            proxy_set_header            X-Original-URL $scheme://$http_host$request_uri;
-            proxy_set_header            X-Real-IP $remote_addr;
-            proxy_set_header            X-Forwarded-Proto $scheme;
-
-            proxy_pass_request_body     off;
-            proxy_set_header            Content-Length "";
-
-            proxy_pass        $upstream_verify;
-        }
-
-        location / {
-            auth_request /auth_verify;
-
-            auth_request_set $redirect $upstream_http_redirect;
-            auth_request_set $user $upstream_http_remote_user;
-            auth_request_set $groups $upstream_http_remote_groups;
-
-            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
-            error_page 403 = https://login.example.com:8080/error/403;
-        }
-    }
-}
-
diff --git a/example/compose/nginx/minimal/ssl/server.csr b/example/compose/nginx/minimal/ssl/server.csr
deleted file mode 100644
index 80b307a91..000000000
--- a/example/compose/nginx/minimal/ssl/server.csr
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIBhDCB7gIBADBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEh
-MB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEB
-AQUAA4GNADCBiQKBgQDNloThcTVDIU1uscEdGFIDndqcCwnmYF4bs6bpJ1BxkBhq
-GUNYRu12hjiHLSA80ZwhNxZ4T5YD4+81Gvs9zMoSGd4jJRSBX6evPTXR8zkmcQI/
-EtN7WgXOXhTx3JiIGlPOI3OGJR+rvfc9FiNx30FC1wpw3gt2ZC+NQeedDvdPKwID
-AQABoAAwDQYJKoZIhvcNAQELBQADgYEAmCX60kspIw1Zfb79AQOarFW5Q2K2h5Vx
-/cRbDyHlKtbmG77EtICccULyqf76B1gNRw5Zq3lSotSUcLzsWcdesXCFDC7k87Qf
-mpQKPj6GdTYJvdWf8aDwt32tAqWuBIRoAbdx5WbFPPWVfDcm7zDJefBrhNUDH0Qd
-vcnxjvPMmOM=
------END CERTIFICATE REQUEST-----
diff --git a/example/compose/nginx/portal/nginx.conf.ejs b/example/compose/nginx/portal/nginx.conf.ejs
index 8ecb9c7f9..957d7b381 100644
--- a/example/compose/nginx/portal/nginx.conf.ejs
+++ b/example/compose/nginx/portal/nginx.conf.ejs
@@ -106,10 +106,79 @@ http {
         }
     }
 
+    server {
+        listen 443 ssl;
+        server_name     mail.example.com;
+
+        resolver 127.0.0.11 ipv6=off;
+        set $upstream_endpoint http://smtp:1080;
+
+        ssl_certificate     /etc/ssl/server.crt;
+        ssl_certificate_key /etc/ssl/server.key;
+
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Frame-Options "SAMEORIGIN";
+
+        location / {
+            proxy_set_header  Host $http_host;
+            proxy_pass        $upstream_endpoint;
+        }
+    }
+
     server {
         listen 443 ssl; 
         server_name     public.example.com;
 
+        resolver 127.0.0.11 ipv6=off;
+        set $upstream_verify <%= authelia_backend %>/api/verify;
+        set $upstream_endpoint http://nginx-backend;
+
+        ssl_certificate     /etc/ssl/server.crt;
+        ssl_certificate_key /etc/ssl/server.key;
+
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Frame-Options "SAMEORIGIN";
+
+        location /auth_verify {
+            internal;
+            proxy_set_header            Host $http_host;
+
+            proxy_set_header            X-Original-URI $request_uri;
+            proxy_set_header            X-Original-URL $scheme://$http_host$request_uri;
+            proxy_set_header            X-Real-IP $remote_addr;
+            proxy_set_header            X-Forwarded-Proto $scheme;
+            proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+
+            proxy_pass_request_body     off;
+            proxy_set_header            Content-Length "";
+
+            proxy_pass        $upstream_verify;
+        }
+
+        location / {
+            auth_request /auth_verify;
+
+            auth_request_set $redirect $upstream_http_redirect;
+            
+            auth_request_set $user $upstream_http_remote_user;
+            proxy_set_header X-Forwarded-User $user;
+            
+            auth_request_set $groups $upstream_http_remote_groups;
+            proxy_set_header Remote-Groups $groups;
+
+            proxy_set_header Host $http_host;
+
+            error_page 401 =302 https://login.example.com:8080/#/?rd=$redirect;
+
+            proxy_pass        $upstream_endpoint;
+        }
+    }
+
+    server {
+        listen 443 ssl; 
+        server_name     admin.example.com
+                        secure.example.com;
+
         resolver 127.0.0.11 ipv6=off;
         set $upstream_verify <%= authelia_backend %>/api/verify;
         set $upstream_endpoint http://nginx-backend;
@@ -141,7 +210,7 @@ http {
             auth_request /auth_verify;
 
             auth_request_set $redirect $upstream_http_redirect;
-            
+
             auth_request_set $user $upstream_http_remote_user;
             proxy_set_header X-Forwarded-User $user;
             
@@ -150,8 +219,7 @@ http {
 
             proxy_set_header Host $http_host;
 
-            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
-            error_page 403 = https://login.example.com:8080/error/403;
+            error_page 401 =302 https://login.example.com:8080/#/?rd=$redirect;
 
             proxy_pass        $upstream_endpoint;
         }
@@ -167,63 +235,12 @@ http {
             auth_request_set $groups $upstream_http_remote_groups;
             proxy_set_header Custom-Forwarded-Groups $groups;
 
-            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
-            error_page 403 = https://login.example.com:8080/error/403;
+            error_page 401 =302 https://login.example.com:8080/#/?rd=$redirect;
 
             proxy_pass        $upstream_headers;
         }
     }
 
-    server {
-        listen 443 ssl; 
-        server_name     admin.example.com;
-
-        resolver 127.0.0.11 ipv6=off;
-        set $upstream_verify <%= authelia_backend %>/api/verify;
-        set $upstream_endpoint http://nginx-backend;
-
-        ssl_certificate     /etc/ssl/server.crt;
-        ssl_certificate_key /etc/ssl/server.key;
-
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-        add_header X-Frame-Options "SAMEORIGIN";
-
-        location /auth_verify {
-            internal;
-            proxy_set_header            Host $http_host;
-
-            proxy_set_header            X-Original-URI $request_uri;
-            proxy_set_header            X-Original-URL $scheme://$http_host$request_uri;
-            proxy_set_header            X-Real-IP $remote_addr;
-            proxy_set_header            X-Forwarded-Proto $scheme;
-            proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
-
-            proxy_pass_request_body     off;
-            proxy_set_header            Content-Length "";
-
-            proxy_pass        $upstream_verify;
-        }
-
-        location / {
-            auth_request /auth_verify;
-
-            auth_request_set $redirect $upstream_http_redirect;
-
-            auth_request_set $user $upstream_http_remote_user;
-            proxy_set_header X-Forwarded-User $user;
-            
-            auth_request_set $groups $upstream_http_remote_groups;
-            proxy_set_header Remote-Groups $groups;
-
-            proxy_set_header Host $http_host;
-
-            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
-            error_page 403 = https://login.example.com:8080/error/403;
-
-            proxy_pass        $upstream_endpoint;
-        }
-    }
-
     server {
         listen 443 ssl; 
         server_name     dev.example.com;
@@ -267,8 +284,7 @@ http {
 
             proxy_set_header Host $http_host;
 
-            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
-            error_page 403 = https://login.example.com:8080/error/403;
+            error_page 401 =302 https://login.example.com:8080/#/?rd=$redirect;
 
             proxy_pass        $upstream_endpoint;
         }
@@ -317,8 +333,7 @@ http {
 
             proxy_set_header Host $http_host;
 
-            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
-            error_page 403 = https://login.example.com:8080/error/403;
+            error_page 401 =302 https://login.example.com:8080/#/?rd=$redirect;
 
             proxy_pass        $upstream_endpoint;
         }
@@ -326,7 +341,7 @@ http {
 
     server {
         listen 443 ssl;
-        server_name     single_factor.example.com;
+        server_name     singlefactor.example.com;
 
         resolver 127.0.0.11 ipv6=off;
         set $upstream_verify <%= authelia_backend %>/api/verify;
@@ -371,8 +386,7 @@ http {
 
             proxy_set_header Host $http_host;
 
-            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
-            error_page 403 = https://login.example.com:8080/error/403;
+            error_page 401 =302 https://login.example.com:8080/#/?rd=$redirect;
 
             proxy_pass        $upstream_endpoint;
         }
@@ -388,8 +402,7 @@ http {
             auth_request_set $groups $upstream_http_remote_groups;
             proxy_set_header Custom-Forwarded-Groups $groups;
 
-            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
-            error_page 403 = https://login.example.com:8080/error/403;
+            error_page 401 =302 https://login.example.com:8080/#/?rd=$redirect;
 
             proxy_pass        $upstream_headers;
         }
diff --git a/example/compose/smtp/docker-compose.yml b/example/compose/smtp/docker-compose.yml
index 4fd5e5e56..e29ef3531 100644
--- a/example/compose/smtp/docker-compose.yml
+++ b/example/compose/smtp/docker-compose.yml
@@ -4,6 +4,5 @@ services:
     image: schickling/mailcatcher
     ports:
       - "1025:1025"
-      - "8085:1080"
     networks:
       - authelianet
diff --git a/example/kube/README.md b/example/kube/README.md
index 7878055c6..13d0225c9 100644
--- a/example/kube/README.md
+++ b/example/kube/README.md
@@ -4,66 +4,20 @@ Authelia is now available on Kube in order to protect your most critical
 applications using 2-factor authentication and Single Sign-On.
 
 This example leverages [ingress-nginx](https://github.com/kubernetes/ingress-nginx)
-v0.13.0 to delegate authentications and authorizations to Authelia within
-the cluster.
+to delegate authentication and authorization to Authelia within the cluster.
 
 ## Getting started
 
-In order to deploy Authelia on Kube, you must have a cluster at hand. If you
-don't, please follow the next section otherwise skip it and go
-to the next.
+You can either try to install **Authelia** on your running instance of Kubernetes
+or deploy the dedicated [suite](/docs/suites.md) called *kubernetes*.
 
 ### Set up a Kube cluster
 
-Hopefully, spawning a development cluster from scratch has become very
-easy lately with the use of **minikube**. This project creates a VM on your
-computer and start a Kube cluster inside it. It also configure a CLI called
-kubectl so that you can deploy applications in the cluster right away.
+The simplest way to start a Kubernetes cluster is to deploy the *kubernetes* suite with
 
-Basically, you need to follow the instruction from the [repository](https://github.com/kubernetes/minikube).
-It should be a matter of downloading the binary and start the cluster with
-two commands:
+    authelia-scripts suites start kubernetes
 
-```
-curl -Lo minikube https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 && chmod +x minikube && sudo mv minikube /usr/local/bin/
-minikube start # you can use --vm-driver flag for selecting your hypervisor (virtualbox by default otherwise)
-```
-
-After few seconds, your cluster should be working and you should be able to
-get access to the cluster by creating a proxy with
-
-```
-kubectl proxy
-```
-
-and visiting `http://localhost:8001/ui`
-
-### Deploy Authelia
-
-Once the cluster is ready and you can access it, run the following command to
-deploy Authelia:
-
-```
-./bootstrap.sh
-```
-
-In order to visit the test applications that have been deployed to test
-Authelia, edit your /etc/hosts and add the following lines replacing the IP
-with the IP of your VM given by minikube:
-
-```
-192.168.39.26       login.kube.example.com
-192.168.39.26       app1.kube.example.com
-192.168.39.26       app2.kube.example.com
-192.168.39.26       mail.kube.example.com
-192.168.39.26       home.kube.example.com
-
-# The domain of the private docker registry holding dev version of Authelia
-192.168.39.26       registry.kube.example.com
-```
-
-Once done, you can visit http://home.kube.example.com and follow the
-instructions written in the page.
+This will take a few seconds (or minutes) to deploy the cluster.
 
 ## How does it work?
 
@@ -81,32 +35,26 @@ The authentication is provided at the ingress level by an annotation called
 `nginx.ingress.kubernetes.io/auth-url` that is filled with the URL of
 Authelia's verification endpoint.
 The ingress controller also requires the URL to the
-authentication portal so that the user can be redirected in case she is not
-yet authenticated.
+authentication portal so that the user can be redirected if he is not
+yet authenticated. This annotation is as follows:
+`nginx.ingress.kubernetes.io/auth-signin: "https://login.example.com:8080/#/"`
 
-Those annotations can be seen in `apps/secure-ingress.yml` configuration.
+Those annotations can be seen in `apps/apps.yml` configuration.
 
 ### Production grade infrastructure
 
 What is great with using [ingress-nginx](https://github.com/kubernetes/ingress-nginx)
 is that it is compatible with [kube-lego](https://github.com/jetstack/kube-lego)
-which removes the usual pain of manual SSL certificate renewals. It uses
+which removes the usual pain of manually renewing SSL certificates. It uses
 letsencrypt to issue and renew certificates every three month without any
 manual intervention.
 
-## What do I need know to deploy it in my cluster?
+## What do I need to know to deploy it in my cluster?
 
-Given your cluster is already made of an LDAP server, a Redis cluster, a Mongo
-cluster and a SMTP server, you'll only need to install the ingress-controller
-and Authelia whose kubernetes deployment configurations are respectively in 
-`ingress-controller` and `authelia` directories. A template configuration
-is provided there, you just need to create the configmap to use it within
-the cluster.
-
-### I'm already using ingress-nginx
-
-If you're already using ingress-nginx as your ingress controller, you only
-need to install Authelia with its configuration and that's it!
+Given your cluster already runs a LDAP server, a Redis, a Mongo database,
+a SMTP server and a nginx ingress-controller, you can deploy **Authelia**
+and update your ingress configurations. An example is provided 
+[here](./authelia).
 
 ## Questions
 
diff --git a/example/kube/apps/app-home/deployment.yml b/example/kube/apps/app-home/deployment.yml
deleted file mode 100644
index 3f88fdc13..000000000
--- a/example/kube/apps/app-home/deployment.yml
+++ /dev/null
@@ -1,33 +0,0 @@
----
-apiVersion: apps/v1beta2
-kind: Deployment
-metadata:
-  name: test-app-home
-  namespace: authelia
-  labels:
-    app: test-app-home
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: test-app-home
-  template:
-    metadata:
-      labels:
-        app: test-app-home
-    spec:
-      containers:
-      - name: test-app-home
-        image: nginx:alpine
-        ports:
-        - containerPort: 80
-        volumeMounts:
-        - name: app-home-page
-          mountPath: /usr/share/nginx/html
-      volumes:
-      - name: app-home-page
-        configMap:
-          name: app-home-page
-          items:
-          - key: index.html
-            path: index.html
diff --git a/example/kube/apps/app-home/index.html b/example/kube/apps/app-home/index.html
deleted file mode 100644
index a1e975e94..000000000
--- a/example/kube/apps/app-home/index.html
+++ /dev/null
@@ -1,35 +0,0 @@
-<html>
-  <head>
-    <title>Authelia Home</title>
-  </head>
-  <body>
-    <h1>Authelia on Kube</h1>
-
-    In this example, two applications have been deployed along with Authelia and a fake mailbox in order to confirm your secret registration to Authelia:
-    <ul>
-      <li><a href="https://app1.kube.example.com">https://app1.kube.example.com</a></li>
-      <li><a href="https://app2.kube.example.com">https://app2.kube.example.com</a></li>
-      <li><a href="http://mail.kube.example.com">http://mail.kube.example.com</a></li>
-    </ul>
-    <p>
-      Please note that <b>app1</b> is publicly available and <b>app2</b> is protected by Authelia.<br/>
-      <br/>
-      You can start by visiting <b>app1</b> and then try to access <b>app2</b>. Since <b>app2</b> is protected by Authelia, you will be redirected to Authelia's portal.<br/>
-      <br/>
-      If it's the first time you login in this cluster, you'll need to choose your authentication method and follow Authelia's instructions.<br/>
-      <br/>
-      Once done, you'll be able to authenticate with your selected second factor method.
-    </p>
-    <p>
-      Here is the list of available users in the LDAP
-      <ul>
-        <li><strong>john / password</strong>
-        <li><strong>bob / password</strong>
-        <li><strong>harry / password</strong>
-      </ul>
-    </p>
-    <p>
-      You can always log off by clicking <a href="https://login.kube.example.com/logout?rd=http://home.kube.example.com">here</a>
-    </p>
-  </body>
-</html>
diff --git a/example/kube/apps/app-home/service.yml b/example/kube/apps/app-home/service.yml
deleted file mode 100644
index 1dd6f0148..000000000
--- a/example/kube/apps/app-home/service.yml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: test-app-home-service
-  namespace: authelia
-spec:
-  selector:
-    app: test-app-home
-  ports:
-  - protocol: TCP
-    port: 80
diff --git a/example/kube/apps/app1/deployment.yml b/example/kube/apps/app1/deployment.yml
deleted file mode 100644
index 883b857f3..000000000
--- a/example/kube/apps/app1/deployment.yml
+++ /dev/null
@@ -1,33 +0,0 @@
----
-apiVersion: apps/v1beta2
-kind: Deployment
-metadata:
-  name: test-app1
-  namespace: authelia
-  labels:
-    app: test-app1
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: test-app1
-  template:
-    metadata:
-      labels:
-        app: test-app1
-    spec:
-      containers:
-      - name: test-app1
-        image: nginx:alpine
-        ports:
-        - containerPort: 80
-        volumeMounts:
-        - name: app1-page
-          mountPath: /usr/share/nginx/html
-      volumes:
-      - name: app1-page
-        configMap:
-          name: app1-page
-          items:
-          - key: index.html
-            path: index.html
diff --git a/example/kube/apps/app1/index.html b/example/kube/apps/app1/index.html
deleted file mode 100644
index b9102c5e7..000000000
--- a/example/kube/apps/app1/index.html
+++ /dev/null
@@ -1,9 +0,0 @@
-<html>
-  <head>
-    <title>Application 1</title>
-  </head>
-  <body>
-    <h1>Application 1</h1>
-    <p><a href="http://home.kube.example.com">Go Home</a></p>
-  </body>
-</html>
diff --git a/example/kube/apps/app1/service.yml b/example/kube/apps/app1/service.yml
deleted file mode 100644
index 3a229ad0f..000000000
--- a/example/kube/apps/app1/service.yml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: test-app1-service
-  namespace: authelia
-spec:
-  selector:
-    app: test-app1
-  ports:
-  - protocol: TCP
-    port: 80
diff --git a/example/kube/apps/app1/ssl/tls.crt b/example/kube/apps/app1/ssl/tls.crt
deleted file mode 100644
index 41a0d908b..000000000
--- a/example/kube/apps/app1/ssl/tls.crt
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICvDCCAaQCCQD9zdaObelW0jANBgkqhkiG9w0BAQsFADAgMR4wHAYDVQQDDBVh
-cHAxLmt1YmUuZXhhbXBsZS5jb20wHhcNMTgwMzA0MTUxMDUxWhcNMjgwMzAxMTUx
-MDUxWjAgMR4wHAYDVQQDDBVhcHAxLmt1YmUuZXhhbXBsZS5jb20wggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+v2s9ABHFgxuYFyGkqlbNQ5OtzHAB79lM
-sbAMJ9pnMTBA4FXdHgQuQ6Z4F233hMokVfnX9C2KxuLLOQMXJdoVQGytkbGGCzoz
-Hz1qXBjDCwQtUGgLJ6zc3C8QKx90zmY0NmH55ttFCQKPHaaxgrS2YXsPzMlQKrgH
-drRklfCpnRZWG9/M1YzXOKeT4VuwTsHyeI8tnco11WJLsZwRxc6TjEgNwwBnct8R
-/cDhl5guDhqFPgMuBtzRlTVOeZS8NraHL5GRswoUeFJfS2VA3FTABwRWV3J6d5gl
-oXpvMzCB01u2jVKLq75g91lGT6I+AVMgSOJG4Nezum7brS7jJjVFAgMBAAEwDQYJ
-KoZIhvcNAQELBQADggEBAIFox2Ox/hJqmaSAyE0TqCaLf3UK78z9m/FYUzWoupGE
-JAJ83wghVcj7XLKG4x6wN+v342JVa0mQ5X773kqNidHmSdWFPd/hGtx+0dQK3BVV
-4CmQCNfA7BZDuxWPW0mcrkKun2aSCq0zjK0f/CzPXZxyPW18EmzSNGkmkXCesM5i
-aevdE5PBKikGz4EfzieVTsImdHDfh2/azdRrmSh22x9/tpZy3mMkc5ERpgL2ll+m
-HZuZ9FEBQHj92pk2aMBVdxPYpgzWAWbuRUs3vfTIhPlzHcI/ZpE60Ete+yY5lBw/
-Gf+ph3HPB8gzSOH/hmcmerX9h6E3MFAncdC4hH3R0j8=
------END CERTIFICATE-----
diff --git a/example/kube/apps/app1/ssl/tls.csr b/example/kube/apps/app1/ssl/tls.csr
deleted file mode 100644
index 808704262..000000000
--- a/example/kube/apps/app1/ssl/tls.csr
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICZTCCAU0CAQAwIDEeMBwGA1UEAwwVYXBwMS5rdWJlLmV4YW1wbGUuY29tMIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvr9rPQARxYMbmBchpKpWzUOT
-rcxwAe/ZTLGwDCfaZzEwQOBV3R4ELkOmeBdt94TKJFX51/QtisbiyzkDFyXaFUBs
-rZGxhgs6Mx89alwYwwsELVBoCyes3NwvECsfdM5mNDZh+ebbRQkCjx2msYK0tmF7
-D8zJUCq4B3a0ZJXwqZ0WVhvfzNWM1zink+FbsE7B8niPLZ3KNdViS7GcEcXOk4xI
-DcMAZ3LfEf3A4ZeYLg4ahT4DLgbc0ZU1TnmUvDa2hy+RkbMKFHhSX0tlQNxUwAcE
-VldyeneYJaF6bzMwgdNbto1Si6u+YPdZRk+iPgFTIEjiRuDXs7pu260u4yY1RQID
-AQABoAAwDQYJKoZIhvcNAQELBQADggEBALcwQAjNjyhMAbGNpFl6iYhzdhUjz02p
-hTpc15T+S4PatbgeERYAIuSGxomPHfh+30udxGDCSy730V2urC0eGPjRpnJpGHNG
-1Dau0sgi28TQPOqhBcZm0GNHMocc5iG+AxWAsxNwtSH3wRoeUGYXavcm9/tWvYbi
-RIKmzXTQKsmY+qhBo3e/phUFuSU8GARYkfDSVqcTM7C3xswgXYcImrkbHAxvsC7+
-3nr8ir2K9t2M3QxV7lTybNacuOF84wL93AZDvJ04HctXXgtt2rSI6vxxt18jyrxJ
-yHX9ADrAa+jhPAM664SZs/+l0fBbil2UaMPOKXOCmYGuERpWh1HLHKo=
------END CERTIFICATE REQUEST-----
diff --git a/example/kube/apps/app1/ssl/tls.key b/example/kube/apps/app1/ssl/tls.key
deleted file mode 100644
index c42ccf379..000000000
--- a/example/kube/apps/app1/ssl/tls.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAvr9rPQARxYMbmBchpKpWzUOTrcxwAe/ZTLGwDCfaZzEwQOBV
-3R4ELkOmeBdt94TKJFX51/QtisbiyzkDFyXaFUBsrZGxhgs6Mx89alwYwwsELVBo
-Cyes3NwvECsfdM5mNDZh+ebbRQkCjx2msYK0tmF7D8zJUCq4B3a0ZJXwqZ0WVhvf
-zNWM1zink+FbsE7B8niPLZ3KNdViS7GcEcXOk4xIDcMAZ3LfEf3A4ZeYLg4ahT4D
-Lgbc0ZU1TnmUvDa2hy+RkbMKFHhSX0tlQNxUwAcEVldyeneYJaF6bzMwgdNbto1S
-i6u+YPdZRk+iPgFTIEjiRuDXs7pu260u4yY1RQIDAQABAoIBAQCwn3ahCUtrZDdM
-4T5ZxxCRCJ3aNI8SfBDuHyowV0a4fqd7qz5WfNDKNgIS+T7uDptOgf3SpVr2QasH
-GkduS7JgM0NuhJWo1QSTCb5Imfajw7OecfGlQpuh9o/tnMCH3AZvGlwmlkk651jj
-REVx4OGMbz8QJkPSY3v8DUKEUQKDSkRhZRhRGDZqbOSeERhOo2O3MqcBaVossYRw
-+2Apth2XHg+7mgQjQF+8Z/DeXtLZgOB4VwQ0vkJmSu+FLhWDJqA+WH5JaOrmS3SN
-lrPeIEwQMGHmwmIUAaQ7Akkow2xx4VuDRQUcUlitAM21x/MjBdTFbFx975svOiuE
-vePNasYBAoGBAOK8e8x0OrqhgsVGWLvJjHnhzTePpemCCB9jRRnTcmMUxXR7moCh
-WGgbyQ3+pU15WMxaIpVrGlV3LOwqSEXYspIpBQKv5+kSAaJf/Op3rtuzo57JLMYP
-YokMu43ewtSF0CE/7h98vruAYCcDJZs+T7K0lHCBS9pcjhU2MS/ktW2lAoGBANdd
-2a1dkEbZyD9NMGD+wWTkctrML3r1ZLy2gq1AX/oyKzdtD6T1nob435RVkyqPGLhr
-tEHJuxLiaJlCk5Kd8V84ps0J9SlZTkLzf2ixb06f1YI9ye37UzBr13H59+N6w8Zu
-24Gv12ht+WBecWKHgtF16LaCDPYORUMOa3CpgFchAoGBAN6M0Rr6jta3R0tpZBlW
-mErd5vd9SQWtO1nLr3zM/f7g2XsfA6T0OXlepHbXFtu3mwBiDIYK7XssEezxB6V/
-MK+kEaX0kTZFFVOS0gY2WWyOo7BsmEUDvtz0oXd8SlId0g+A17MSV4hlVnuUbCo3
-/DRVaUoQrypzJIcPfTIcVDR9AoGAY3uNrqB2odO9xUfhnhxvtywzxc/l6tVp6CYi
-bOc8rnT4M40kWd2/kbdqh7mT1mftUlsmE/GcgZemG41+X46nzYV8v1/nKGeBWDnk
-U7cKpHX+iUADg/PBNK/MAHEoSaMOxh21Nc3FIg8Sz6owlAPmsNzXV17xn8NtyRDj
-HlKd3yECgYBvB0bV1yXOvfoqGXAyadNJM9eKOuQwhrOJCXzCeMInhUtLpH35kC17
-e8rOmoBhV1rLpxlMLV8giyJSRUPoN/TfUHfS2pWfKPobrp50vaUn1hYp6EEr85Qs
-DdV2VilJsJN49sMg67GV3Zi4lnjVzYNFegw6y5Xi8l8ulYtzxJnemA==
------END RSA PRIVATE KEY-----
diff --git a/example/kube/apps/app2/deployment.yml b/example/kube/apps/app2/deployment.yml
deleted file mode 100644
index 5cb7e0bb0..000000000
--- a/example/kube/apps/app2/deployment.yml
+++ /dev/null
@@ -1,33 +0,0 @@
----
-apiVersion: apps/v1beta2
-kind: Deployment
-metadata:
-  name: test-app2
-  namespace: authelia
-  labels:
-    app: test-app2
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: test-app2
-  template:
-    metadata:
-      labels:
-        app: test-app2
-    spec:
-      containers:
-      - name: test-app2
-        image: nginx:alpine
-        ports:
-        - containerPort: 80
-        volumeMounts:
-        - name: app2-page
-          mountPath: /usr/share/nginx/html
-      volumes:
-      - name: app2-page
-        configMap:
-          name: app2-page
-          items:
-          - key: index.html
-            path: index.html
diff --git a/example/kube/apps/app2/index.html b/example/kube/apps/app2/index.html
deleted file mode 100644
index 0eaeb5410..000000000
--- a/example/kube/apps/app2/index.html
+++ /dev/null
@@ -1,9 +0,0 @@
-<html>
-  <head>
-    <title>Application 2</title>
-  </head>
-  <body>
-    <h1>Application 2</h2>
-    <p><a href="http://home.kube.example.com">Go Home</a></p>
-  </body>
-</html>
diff --git a/example/kube/apps/app2/service.yml b/example/kube/apps/app2/service.yml
deleted file mode 100644
index ef21e223e..000000000
--- a/example/kube/apps/app2/service.yml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: test-app2-service
-  namespace: authelia
-spec:
-  selector:
-    app: test-app2
-  ports:
-  - protocol: TCP
-    port: 80
diff --git a/example/kube/apps/app2/ssl/tls.crt b/example/kube/apps/app2/ssl/tls.crt
deleted file mode 100644
index ae5914029..000000000
--- a/example/kube/apps/app2/ssl/tls.crt
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICvDCCAaQCCQCE6h+pwV+OTTANBgkqhkiG9w0BAQsFADAgMR4wHAYDVQQDDBVh
-cHAyLmt1YmUuZXhhbXBsZS5jb20wHhcNMTgwMzA0MTUwODUyWhcNMjgwMzAxMTUw
-ODUyWjAgMR4wHAYDVQQDDBVhcHAyLmt1YmUuZXhhbXBsZS5jb20wggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDuVrXRL0i75y0QpbkFM7h1jIwbKOQYdkCR
-tAp4aFjRAnHE1DtiXuexoyhs0hbwtxmFF0RpPjOVLvLl/AZt6i65dC5gl1czLmmH
-nzjBzUF4jM5qJioP867vR2+SDnD6YWCQrwYG8bHeFKvppAlTY7g8YoTD/b3JNnV1
-t+uaPyNKvu33pOP2vP/w/709WFVEwd/334RFF6fjAyYrOgYgvqcgyJ6E6T4cf/Vl
-psgLZpJ7o4VoFHq1MdP6Ro+HzKwHUsDbH53U6wISe3dRBmHjTJH2sp1KuJ5gR1Ko
-CiiVfq+CCPOxGKNngQe2EqDHmuVuXu30VFu82hznfkXdlhuzTGSfAgMBAAEwDQYJ
-KoZIhvcNAQELBQADggEBAEWeTkGmuXnAPU8JGTa+O00kI9nFy10inbiU8O+XuwUL
-Cj53CRffbzlsCDRDDxxoBuJ5EvWho5F7MR7A8ZRDfWqLTogvjpVp2YJ+jK/iTbqU
-95tCVMByZufa4bHPWmngeYsSu0s0+qRYOeyiCbiFzlzFP3nLSS6aMPwrMUz7/Qp1
-XUE1YfyqjKDkvFN4Wq1GKOUZEh4CJh3SuOE/FrRAiaAWnOH4LVDn5TFEbLyEqZLd
-BrYEDopRsTpJck/ZEF43GZ0t8Y8CKffpWGV4PvSiUnl/7mKd+i+QsTx8CnnlR9y/
-ZvwNRwvRw3uXwkgRinE8wwONAfwB2nIYKyuU9/ODAPs=
------END CERTIFICATE-----
diff --git a/example/kube/apps/app2/ssl/tls.csr b/example/kube/apps/app2/ssl/tls.csr
deleted file mode 100644
index 13181d9f7..000000000
--- a/example/kube/apps/app2/ssl/tls.csr
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICZTCCAU0CAQAwIDEeMBwGA1UEAwwVYXBwMi5rdWJlLmV4YW1wbGUuY29tMIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7la10S9Iu+ctEKW5BTO4dYyM
-GyjkGHZAkbQKeGhY0QJxxNQ7Yl7nsaMobNIW8LcZhRdEaT4zlS7y5fwGbeouuXQu
-YJdXMy5ph584wc1BeIzOaiYqD/Ou70dvkg5w+mFgkK8GBvGx3hSr6aQJU2O4PGKE
-w/29yTZ1dbfrmj8jSr7t96Tj9rz/8P+9PVhVRMHf99+ERRen4wMmKzoGIL6nIMie
-hOk+HH/1ZabIC2aSe6OFaBR6tTHT+kaPh8ysB1LA2x+d1OsCEnt3UQZh40yR9rKd
-SrieYEdSqAoolX6vggjzsRijZ4EHthKgx5rlbl7t9FRbvNoc535F3ZYbs0xknwID
-AQABoAAwDQYJKoZIhvcNAQELBQADggEBANqbKTFSeOf9GRgrNuqRGYYdqSPaoXpu
-iSKhJRABj4zMOCJlfDpeMQ8mGfmBUV+IHr+X8/nbMt+OMEf4u1+7Mmz4Zfvkt5gP
-MBlYbauVxn/uIYp7aZgBUABC7SvLeITRz4rnQW5SvCNyuJAKQh84uF82g47S7Oaz
-2dp6NO1nQ/N9SD6y0CyuIXf1KbSk4+lXa3+rGyqpF1aovpXCgvcA3tWrI/Lg2t5E
-uPoiHegKGKyWUZeVh8eKY2ZBCl+uRmwLqTTdzj1HcoK5T1slg0X+K9Q1UsGy23Pw
-RHFtGuel8msESgTnspzQF3T1uOscOOiQFG3xnoZtxH92gFT+pI7DoEY=
------END CERTIFICATE REQUEST-----
diff --git a/example/kube/apps/app2/ssl/tls.key b/example/kube/apps/app2/ssl/tls.key
deleted file mode 100644
index b57aac983..000000000
--- a/example/kube/apps/app2/ssl/tls.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEA7la10S9Iu+ctEKW5BTO4dYyMGyjkGHZAkbQKeGhY0QJxxNQ7
-Yl7nsaMobNIW8LcZhRdEaT4zlS7y5fwGbeouuXQuYJdXMy5ph584wc1BeIzOaiYq
-D/Ou70dvkg5w+mFgkK8GBvGx3hSr6aQJU2O4PGKEw/29yTZ1dbfrmj8jSr7t96Tj
-9rz/8P+9PVhVRMHf99+ERRen4wMmKzoGIL6nIMiehOk+HH/1ZabIC2aSe6OFaBR6
-tTHT+kaPh8ysB1LA2x+d1OsCEnt3UQZh40yR9rKdSrieYEdSqAoolX6vggjzsRij
-Z4EHthKgx5rlbl7t9FRbvNoc535F3ZYbs0xknwIDAQABAoIBAFcXgGDsMlvXYfRP
-Woi4GZN6xEe4bYEy1O1pKNpO5wWZKxGNrBWKMIgM4tzA+HkFr2Ge2vTKMfc1rLS1
-n3PSuzgxaDELnGWrdAyG9ip7Yo02hsbrIzupBCeTpwVsGYSkyLCWBFHNR/2q+Bbs
-RiweqFgIeBNWSV+ZctqNVp6Kq87HuYfm/ka8ewVnPYhEMewuE0vqfVjc+fdPr/5I
-4uQCCw0/ZTFFP++hkyNsH1ZCdUeT83xbgUwFA0M/3ckjMhzcP7lncq6Gvy8NpBhI
-mle/Ev82yaDRl5VKoenpy2d8L+qvIjRbhZiZuTAU9AWRvOKrTMtzKSpyMgWAQZ64
-69ResmECgYEA+2Ws4qBiYd3BKF5tc0fWbS0omThT60oLc6aLu5NoryogHHNwPOud
-69nCDHSyYp+PqK1HLrOAVoTLmuwyys15juizewO809gYRgXlNZ9TKED8Znyg004o
-EQVYxMevq2kfDOBJkMphLXAvFrRFQVB2Km8EfKkrI++1rhxKGJD+FzMCgYEA8rPU
-G1v3/uemBxYO/bEmdjvsDfLI7FBYNmjgvBGJocSwb2sG/tRr0imZBPAuDlCKcZ1E
-G3rZOJ0VsLzxX5RCVYFKRQvUtbaNO+uDJjChxQ/fQQdbIoaIMjyAVLI7t3Ei4+nY
-7eHYjcHeMX54drO8YqQ6OoWZ4x8DI8KNcxBnzOUCgYA+uMRkmn1RS4For/6At5ih
-DpZFfA878fJffVr5hrKkmU7/qjGDkYmKEX9fmjHzdznhbLIIzdIkQ+eElI+rl45P
-gHFfLLSM6ipMNiZUtZaKwYP3kfqSHbrTXFEkb2m9y3Fqxf60uDl8m7Oz53Ar9oY0
-2hP1gkN4KNNcSESYUnyCjwKBgAR9+ZYMDLoGFZeZ++sMJVcY4tSbQsbE8e0H4ej5
-Nh/tYQqe44FB80Dvjip+O4v+R6G0tHcBvhWDKsyboqgPOW8Vtocyodw/JbwPLt09
-FzFrislMVo58CPdNEV7/8YUCrg+j22UDwhtVlEQ8QASKbRkySvWcVW3TvB4kUrPn
-gNRVAoGAI99QzqSRBSLeDgxxRgTM7l5wzyVEmJfmMqQsIbHvYy6zG9iYjFI6UZ8I
-U3C/Sdnq7wCWa70b3L8A1iN2fYVwvkEH5WGbEp5B2Cye50avegbPi1FgGw2VSIuS
-ysAkWaVJXsb2oQNtjidRuEflhy4nr7eybwa6cgarh7ci3JB+tQ8=
------END RSA PRIVATE KEY-----
diff --git a/example/kube/apps/apps.yml b/example/kube/apps/apps.yml
new file mode 100644
index 000000000..db4333429
--- /dev/null
+++ b/example/kube/apps/apps.yml
@@ -0,0 +1,130 @@
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: test-app
+  namespace: authelia
+  labels:
+    k8s-app: test-app
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        k8s-app: test-app
+    spec:
+      containers:
+      - name: test-app
+        imagePullPolicy: Never
+        image: authelia-example-backend
+        ports:
+        - containerPort: 80
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: test-app-service
+  namespace: authelia
+  labels:
+    k8s-app: test-app
+spec:
+  selector:
+    k8s-app: test-app
+  ports:
+    - port: 80
+      name: http
+    - port: 443
+      name: https
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: insecure-ingress
+  namespace: authelia
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    kubernetes.io/ingress.allow-http: "false"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  tls:
+  - secretName: test-app-tls
+    hosts:
+    - home.example.com
+  rules:
+  - host: home.example.com
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: test-app-service
+          servicePort: 80
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: secure-ingress
+  namespace: authelia
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    kubernetes.io/ingress.allow-http: "false"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/auth-url: "http://authelia-service.authelia.svc.cluster.local/api/verify"
+    nginx.ingress.kubernetes.io/auth-signin: "https://login.example.com:8080/#/"
+spec:
+  tls:
+  - secretName: test-app-tls
+    hosts:
+    - public.example.com
+    - admin.example.com
+    - dev.example.com
+    - mx1.mail.example.com
+    - mx2.mail.example.com
+    - singlefactor.example.com
+  rules:
+  - host: public.example.com
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: test-app-service
+          servicePort: 80
+  - host: admin.example.com
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: test-app-service
+          servicePort: 80
+  - host: dev.example.com
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: test-app-service
+          servicePort: 80
+  - host: mx1.mail.example.com
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: test-app-service
+          servicePort: 80
+  - host: mx2.mail.example.com
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: test-app-service
+          servicePort: 80
+  - host: singlefactor.example.com
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: test-app-service
+          servicePort: 80
+
diff --git a/example/kube/apps/insecure-ingress.yml b/example/kube/apps/insecure-ingress.yml
deleted file mode 100644
index 8a2c5793b..000000000
--- a/example/kube/apps/insecure-ingress.yml
+++ /dev/null
@@ -1,28 +0,0 @@
----
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: insecure-ingress
-  namespace: authelia
-  annotations:
-    kubernetes.io/ingress.class: "nginx"
-spec:
-  tls:
-  - secretName: app1-tls
-    hosts:
-    - app1.kube.example.com
-  rules:
-  - host: app1.kube.example.com
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: test-app1-service
-          servicePort: 80
-  - host: home.kube.example.com
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: test-app-home-service
-          servicePort: 80
diff --git a/example/kube/apps/secure-ingress.yml b/example/kube/apps/secure-ingress.yml
deleted file mode 100644
index 2858479fb..000000000
--- a/example/kube/apps/secure-ingress.yml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: secure-ingress
-  namespace: authelia
-  annotations:
-    kubernetes.io/ingress.class: "nginx"
-    nginx.ingress.kubernetes.io/auth-url: "http://authelia-service.authelia.svc.cluster.local/api/verify"
-    nginx.ingress.kubernetes.io/auth-signin: "https://login.kube.example.com"
-spec:
-  tls:
-  - secretName: app2-tls
-    hosts:
-    - app2.kube.example.com
-  rules:
-  - host: app2.kube.example.com
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: test-app2-service
-          servicePort: 80
diff --git a/example/compose/nginx/minimal/ssl/server.crt b/example/kube/apps/ssl/tls.crt
similarity index 100%
rename from example/compose/nginx/minimal/ssl/server.crt
rename to example/kube/apps/ssl/tls.crt
diff --git a/example/compose/nginx/minimal/ssl/server.key b/example/kube/apps/ssl/tls.key
similarity index 100%
rename from example/compose/nginx/minimal/ssl/server.key
rename to example/kube/apps/ssl/tls.key
diff --git a/example/kube/authelia/configs/config.yml b/example/kube/authelia/configs/config.yml
index e715a14c8..95762b494 100644
--- a/example/kube/authelia/configs/config.yml
+++ b/example/kube/authelia/configs/config.yml
@@ -20,7 +20,7 @@ logs_level: debug
 #
 # Note: this parameter is optional. If not provided, user won't
 # be redirected upon successful authentication.
-default_redirection_url: https://login.kube.example.com
+default_redirection_url: https://home.example.com:8080
 
 # The authentication backend to use for verifying user passwords
 # and retrieve information such as email address and groups
@@ -79,76 +79,60 @@ authentication_backend:
   ## file:
   ##   path: ./users_database.yml
 
-# Authentication methods
-#
-# Authentication methods can be defined per subdomain.
-# There are currently two available methods: "single_factor" and "two_factor"
-#
-# Note: by default a domain uses "two_factor" method.
-#
-# Note: 'per_subdomain_methods' is a dictionary where keys must be subdomains and
-# values must be one of the two possible methods.
-#
-# Note: 'per_subdomain_methods' is optional.
-#
-# Note: authentication_methods is optional. If it is not set all sub-domains
-# are protected by two factors.
-authentication_methods:
-  default_method: two_factor
-#  per_subdomain_methods:
-#    single_factor.example.com: single_factor
-
 # Access Control
 #
-# Access control is a set of rules you can use to restrict user access to certain 
-# resources.
-# Any (apply to anyone), per-user or per-group rules can be defined.
-#
-# If 'access_control' is not defined, ACL rules are disabled and the `allow` default 
-# policy is applied, i.e., access is allowed to anyone. Otherwise restrictions follow 
-# the rules defined.
-# 
-# Note: One can use the wildcard * to match any subdomain. 
-# It must stand at the beginning of the pattern. (example: *.mydomain.com)
-# 
-# Note: You must put the pattern in simple quotes when using the wildcard for the YAML
-# to be syntaxically correct.
-#
-# Definition: A `rule` is an object with the following keys: `domain`, `policy` 
-# and `resources`.
-# - `domain` defines which domain or set of domains the rule applies to.
-# - `policy` is the policy to apply to resources. It must be either `allow` or `deny`.
-# - `resources` is a list of regular expressions that matches a set of resources to 
-# apply the policy to.
-#
-# Note: Rules follow an order of priority defined as follows:
-# In each category (`any`, `groups`, `users`), the latest rules have the highest 
-# priority. In other words, it means that if a given resource matches two rules in the
-# same category, the latest one overrides the first one.
-# Each category has also its own priority. That is, `users` has the highest priority, then
-# `groups` and `any` has the lowest priority. It means if two rules in different categories
-# match a given resource, the one in the category with the highest priority overrides the
-# other one.
-#
+# For more details about the configuration see config.template.yml at the root of the repo.
 access_control:
-  # Default policy can either be `allow` or `deny`.
-  # It is the policy applied to any resource if it has not been overriden
-  # in the `any`, `groups` or `users` category.
   default_policy: deny
 
-  # The rules that apply to anyone.
-  # The value is a list of rules.
-  any:
+  rules:
+    # Rules applied to everyone
+    - domain: public.example.com
+      policy: bypass
+    - domain: secure.example.com
+      policy: two_factor
+    - domain: singlefactor.example.com
+      policy: one_factor
+
+    # Rules applied to 'admin' group
+    - domain: 'mx2.mail.example.com'
+      subject: 'group:admin'
+      policy: deny
     - domain: '*.example.com'
-      policy: allow
-  
-  # Group-based rules. The key is a group name and the value
-  # is a list of rules.
-  groups: {}
-  
-  # User-based rules. The key is a user name and the value
-  # is a list of rules.
-  users: {}
+      subject: 'group:admin'
+      policy: two_factor
+
+    # Rules applied to 'dev' group
+    - domain: dev.example.com
+      resources:
+        - '^/groups/dev/.*$'
+      subject: 'group:dev'
+      policy: two_factor
+
+    # Rules applied to user 'john'
+    - domain: dev.example.com
+      resources:
+        - '^/users/john/.*$'
+      subject: 'user:john'
+      policy: two_factor
+
+
+    # Rules applied to user 'harry'
+    - domain: dev.example.com
+      resources:
+        - '^/users/harry/.*$'
+      subject: 'user:harry'
+      policy: two_factor
+
+    # Rules applied to user 'bob'
+    - domain: '*.mail.example.com'
+      subject: 'user:bob'
+      policy: two_factor
+    - domain: 'dev.example.com'
+      resources:
+        - '^/users/bob/.*$'
+      subject: 'user:bob'
+      policy: two_factor
 
 
 # Configuration of session cookies
diff --git a/example/kube/authelia/deployment.yml b/example/kube/authelia/deployment.yml
index c0010ee3f..045ae6366 100644
--- a/example/kube/authelia/deployment.yml
+++ b/example/kube/authelia/deployment.yml
@@ -18,8 +18,7 @@ spec:
     spec:
       containers:
       - name: authelia
-        image: localhost:5000/authelia:latest
-        imagePullPolicy: Always
+        image: authelia:dist
         ports:
         - containerPort: 80
         volumeMounts:
diff --git a/example/kube/authelia/ingress.yml b/example/kube/authelia/ingress.yml
index ec3e9e3e9..3a6f2691d 100644
--- a/example/kube/authelia/ingress.yml
+++ b/example/kube/authelia/ingress.yml
@@ -10,10 +10,10 @@ spec:
   tls:
   - secretName: authelia-tls
     hosts:
-    - login.kube.example.com
+    - login.example.com
   rules:
   rules:
-  - host: login.kube.example.com
+  - host: login.example.com
     http:
       paths:
       - path: /
diff --git a/example/kube/bootstrap-authelia.sh b/example/kube/bootstrap-authelia.sh
new file mode 100755
index 000000000..15af1cca1
--- /dev/null
+++ b/example/kube/bootstrap-authelia.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+start_authelia() {
+  kubectl create configmap authelia-config --namespace=authelia --from-file=authelia/configs/config.yml
+  kubectl apply -f authelia
+}
+
+start_authelia
\ No newline at end of file
diff --git a/example/kube/bootstrap.sh b/example/kube/bootstrap.sh
old mode 100644
new mode 100755
index 7c5493496..c372a3d38
--- a/example/kube/bootstrap.sh
+++ b/example/kube/bootstrap.sh
@@ -1,30 +1,19 @@
 #!/bin/bash
 
-start_apps() {
-  # Create the test application pages                                             
-  kubectl create configmap app1-page --namespace=authelia --from-file=apps/app1/index.html
-  kubectl create configmap app2-page --namespace=authelia --from-file=apps/app2/index.html
-  kubectl create configmap app-home-page --namespace=authelia --from-file=apps/app-home/index.html
-                                                                                  
+start_apps() {                                                                                  
   # Create TLS certificate and key for HTTPS termination                          
-  kubectl create secret generic app1-tls --namespace=authelia --from-file=apps/app1/ssl/tls.key --from-file=apps/app1/ssl/tls.crt
-  kubectl create secret generic app2-tls --namespace=authelia --from-file=apps/app2/ssl/tls.key --from-file=apps/app2/ssl/tls.crt
-  kubectl create secret generic authelia-tls --namespace=authelia --from-file=authelia/ssl/tls.key --from-file=authelia/ssl/tls.crt
+  kubectl create secret generic test-app-tls --namespace=authelia --from-file=apps/ssl/tls.key --from-file=apps/ssl/tls.crt
   
   # Spawn the applications
   kubectl apply -f apps
-  kubectl apply -f apps/app1
-  kubectl apply -f apps/app2
-  kubectl apply -f apps/app-home
 }
 
 start_ingress_controller() {
   kubectl apply -f ingress-controller
 }
 
-start_authelia() {
-  kubectl create configmap authelia-config --namespace=authelia --from-file=authelia/configs/config.yml
-  kubectl apply -f authelia
+start_dashboard() {
+  kubectl apply -f dashboard
 }
 
 # Spawn Redis and Mongo as backend for Authelia
@@ -34,28 +23,23 @@ start_storage() {
 }
 
 # Create a fake mailbox to catch emails sent by Authelia
-start_mailcatcher() {
-  kubectl apply -f mailcatcher
+start_mail() {
+  kubectl apply -f mail
 }
 
 start_ldap() {
   kubectl apply -f ldap
 }
 
-start_docker_registry() {
-  kubectl apply -f docker-registry
-}
-
 # Create the Authelia namespace in the cluster
 create_namespace() {
   kubectl apply -f namespace.yml
 }
 
 create_namespace
-start_docker_registry
+start_dashboard
 start_storage
 start_ldap
-start_mailcatcher
+start_mail
 start_ingress_controller
-start_authelia
 start_apps
diff --git a/example/kube/build_and_push.sh b/example/kube/build_and_push.sh
deleted file mode 100644
index de6310054..000000000
--- a/example/kube/build_and_push.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/bash
-
-build_and_push_authelia() {
-  cd ../../
-  docker build -t registry.kube.example.com:80/authelia .
-  docker push registry.kube.example.com:80/authelia
-}
-
-build_and_push_authelia
diff --git a/example/kube/dashboard/dashboard.yaml b/example/kube/dashboard/dashboard.yaml
new file mode 100644
index 000000000..059769f1e
--- /dev/null
+++ b/example/kube/dashboard/dashboard.yaml
@@ -0,0 +1,179 @@
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# ------------------- Dashboard Secret ------------------- #
+
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard-certs
+  namespace: kube-system
+type: Opaque
+
+---
+# ------------------- Dashboard Service Account ------------------- #
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard
+  namespace: kube-system
+
+---
+# ------------------- Dashboard Role & Role Binding ------------------- #
+
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kubernetes-dashboard-minimal
+  namespace: kube-system
+rules:
+  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
+  # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["create"]
+  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
+  verbs: ["get", "update", "delete"]
+  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+- apiGroups: [""]
+  resources: ["configmaps"]
+  resourceNames: ["kubernetes-dashboard-settings"]
+  verbs: ["get", "update"]
+  # Allow Dashboard to get metrics from heapster.
+- apiGroups: [""]
+  resources: ["services"]
+  resourceNames: ["heapster"]
+  verbs: ["proxy"]
+- apiGroups: [""]
+  resources: ["services/proxy"]
+  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
+  verbs: ["get"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kubernetes-dashboard-minimal
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: kubernetes-dashboard-minimal
+subjects:
+- kind: ServiceAccount
+  name: kubernetes-dashboard
+  namespace: kube-system
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: kubernetes-dashboard
+  labels:
+    k8s-app: kubernetes-dashboard
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: kubernetes-dashboard
+  namespace: kube-system
+
+---
+# ------------------- Dashboard Deployment ------------------- #
+
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard
+  namespace: kube-system
+spec:
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      k8s-app: kubernetes-dashboard
+  template:
+    metadata:
+      labels:
+        k8s-app: kubernetes-dashboard
+    spec:
+      containers:
+      - name: kubernetes-dashboard
+        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
+        ports:
+        - containerPort: 8443
+          protocol: TCP
+        args:
+          - --auto-generate-certificates
+          - --enable-skip-login
+          # Uncomment the following line to manually specify Kubernetes API server Host
+          # If not specified, Dashboard will attempt to auto discover the API server and connect
+          # to it. Uncomment only if the default does not work.
+          # - --apiserver-host=http://my-address:port
+        volumeMounts:
+        - name: kubernetes-dashboard-certs
+          mountPath: /certs
+          # Create on-disk volume to store exec logs
+        - mountPath: /tmp
+          name: tmp-volume
+        livenessProbe:
+          httpGet:
+            scheme: HTTPS
+            path: /
+            port: 8443
+          initialDelaySeconds: 30
+          timeoutSeconds: 30
+      volumes:
+      - name: kubernetes-dashboard-certs
+        secret:
+          secretName: kubernetes-dashboard-certs
+      - name: tmp-volume
+        emptyDir: {}
+      serviceAccountName: kubernetes-dashboard
+      # Comment the following tolerations if Dashboard must not be deployed on master
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+
+---
+# ------------------- Dashboard Service ------------------- #
+
+kind: Service
+apiVersion: v1
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard
+  namespace: kube-system
+spec:
+  ports:
+    - port: 443
+      targetPort: 8443
+  selector:
+    k8s-app: kubernetes-dashboard
diff --git a/example/kube/docker-registry/daemonset.yml b/example/kube/docker-registry/daemonset.yml
deleted file mode 100644
index 3d370a30d..000000000
--- a/example/kube/docker-registry/daemonset.yml
+++ /dev/null
@@ -1,35 +0,0 @@
----
-apiVersion: extensions/v1beta1
-kind: DaemonSet
-metadata:
-  name: kube-registry-proxy
-  namespace: kube-system
-  labels:
-    k8s-app: kube-registry-proxy
-    kubernetes.io/cluster-service: "true"
-    version: v0.4
-spec:
-  template:
-    metadata:
-      labels:
-        k8s-app: kube-registry-proxy
-        kubernetes.io/name: "kube-registry-proxy"
-        kubernetes.io/cluster-service: "true"
-        version: v0.4
-    spec:
-      containers:
-      - name: kube-registry-proxy
-        image: gcr.io/google_containers/kube-registry-proxy:0.4
-        resources:
-          limits:
-            cpu: 100m
-            memory: 50Mi
-        env:
-        - name: REGISTRY_HOST
-          value: kube-registry.kube-system.svc.cluster.local
-        - name: REGISTRY_PORT
-          value: "5000"
-        ports:
-        - name: registry
-          containerPort: 80
-          hostPort: 5000
diff --git a/example/kube/docker-registry/ingress.yml b/example/kube/docker-registry/ingress.yml
deleted file mode 100644
index 3c71a94d6..000000000
--- a/example/kube/docker-registry/ingress.yml
+++ /dev/null
@@ -1,18 +0,0 @@
----
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: registry-ingress
-  namespace: kube-system
-  annotations:
-    kubernetes.io/ingress.class: nginx
-    nginx.ingress.kubernetes.io/proxy-body-size: 100m # Avoid 413 Request entity too large
-spec:
-  rules:
-  - host: registry.kube.example.com
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: kube-registry 
-          servicePort: 5000
diff --git a/example/kube/docker-registry/replicationcontroller.yml b/example/kube/docker-registry/replicationcontroller.yml
deleted file mode 100644
index 45881785c..000000000
--- a/example/kube/docker-registry/replicationcontroller.yml
+++ /dev/null
@@ -1,44 +0,0 @@
----
-apiVersion: v1
-kind: ReplicationController
-metadata:
-  name: kube-registry-v0
-  namespace: kube-system
-  labels:
-    k8s-app: kube-registry-upstream
-    version: v0
-    kubernetes.io/cluster-service: "true"
-spec:
-  replicas: 1
-  selector:
-    k8s-app: kube-registry-upstream
-    version: v0
-  template:
-    metadata:
-      labels:
-        k8s-app: kube-registry-upstream
-        version: v0
-        kubernetes.io/cluster-service: "true"
-    spec:
-      containers:
-      - name: registry
-        image: registry:2
-        resources:
-          limits:
-            cpu: 100m
-            memory: 100Mi
-        env:
-        - name: REGISTRY_HTTP_ADDR
-          value: :5000
-        - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
-          value: /var/lib/registry
-        volumeMounts:
-        - name: image-store
-          mountPath: /var/lib/registry
-        ports:
-        - containerPort: 5000
-          name: registry
-          protocol: TCP
-      volumes:
-      - name: image-store
-        emptyDir: {}
diff --git a/example/kube/docker-registry/service.yml b/example/kube/docker-registry/service.yml
deleted file mode 100644
index cbadaaf9c..000000000
--- a/example/kube/docker-registry/service.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: kube-registry
-  namespace: kube-system
-  labels:
-    k8s-app: kube-registry-upstream
-    kubernetes.io/cluster-service: "true"
-    kubernetes.io/name: "KubeRegistry"
-spec:
-  selector:
-    k8s-app: kube-registry-upstream
-  ports:
-  - name: registry
-    port: 5000
-    protocol: TCP
diff --git a/example/kube/ingress-controller/default-backend.yml b/example/kube/ingress-controller/default-backend.yml
deleted file mode 100644
index 8bb33965e..000000000
--- a/example/kube/ingress-controller/default-backend.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-apiVersion: extensions/v1beta1
-kind: Deployment
-metadata:
-  name: default-http-backend
-  labels:
-    app: default-http-backend
-  namespace: authelia
-spec:
-  replicas: 1
-  template:
-    metadata:
-      labels:
-        app: default-http-backend
-    spec:
-      terminationGracePeriodSeconds: 60
-      containers:
-      - name: default-http-backend
-        image: gcr.io/google_containers/defaultbackend:1.4
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 30
-          timeoutSeconds: 5
-        ports:
-        - containerPort: 8080
-        resources:
-          limits:
-            cpu: 10m
-            memory: 20Mi
-          requests:
-            cpu: 10m
-            memory: 20Mi
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: default-http-backend
-  namespace: authelia
-  labels:
-    app: default-http-backend
-spec:
-  ports:
-  - port: 80
-    targetPort: 8080
-  selector:
-    app: default-http-backend
diff --git a/example/kube/ingress-controller/deployment.yml b/example/kube/ingress-controller/deployment.yml
index f67f5f8aa..40441a93b 100644
--- a/example/kube/ingress-controller/deployment.yml
+++ b/example/kube/ingress-controller/deployment.yml
@@ -2,26 +2,27 @@
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
-  name: nginx-ingress-controller-external
+  name: nginx-ingress-controller
   namespace: authelia
   labels:
-    k8s-app: nginx-ingress-controller-external
+    k8s-app: nginx-ingress-controller
 spec:
   replicas: 1
   revisionHistoryLimit: 0
   template:
     metadata:
       labels:
-        k8s-app: nginx-ingress-controller-external
-        name: nginx-ingress-controller-external
+        k8s-app: nginx-ingress-controller
+        name: nginx-ingress-controller
       annotations:
         prometheus.io/port: '10254'
         prometheus.io/scrape: 'true'
     spec:
       terminationGracePeriodSeconds: 60
+      serviceAccountName: nginx-ingress-controller-serviceaccount
       containers:
-      - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.13.0
-        name: nginx-ingress-controller-external
+      - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.23.0
+        name: nginx-ingress-controller
         imagePullPolicy: Always
         ports:
         - containerPort: 80
@@ -38,5 +39,4 @@ spec:
         args:
         - /nginx-ingress-controller
         - --ingress-class=nginx
-        - --election-id=ingress-controller-leader-external
-        - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
+        - --election-id=ingress-controller-leader
diff --git a/example/kube/ingress-controller/rbac.yml b/example/kube/ingress-controller/rbac.yml
new file mode 100644
index 000000000..cb3908588
--- /dev/null
+++ b/example/kube/ingress-controller/rbac.yml
@@ -0,0 +1,141 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nginx-ingress-controller-serviceaccount
+  namespace: authelia
+  labels:
+    k8s-app: nginx-ingress-controller
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: nginx-ingress-controller-clusterrole
+  labels:
+    k8s-app: nginx-ingress-controller
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - endpoints
+      - nodes
+      - pods
+      - secrets
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "extensions"
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - "extensions"
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: nginx-ingress-controller-role
+  namespace: authelia
+  labels:
+    k8s-app: nginx-ingress-controller
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - pods
+      - secrets
+      - namespaces
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    resourceNames:
+      # Defaults to "<election-id>-<ingress-class>"
+      # Here: "<ingress-controller-leader>-<nginx>"
+      # This has to be adapted if you change either parameter
+      # when launching the nginx-ingress-controller.
+      - "ingress-controller-leader-nginx"
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+    verbs:
+      - get
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: nginx-ingress-controller-role-nisa-binding
+  namespace: authelia
+  labels:
+    k8s-app: nginx-ingress-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: nginx-ingress-controller-role
+subjects:
+  - kind: ServiceAccount
+    name: nginx-ingress-controller-serviceaccount
+    namespace: authelia
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: nginx-ingress-controller-clusterrole-nisa-binding
+  labels:
+    k8s-app: nginx-ingress-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: nginx-ingress-controller-clusterrole
+subjects:
+  - kind: ServiceAccount
+    name: nginx-ingress-controller-serviceaccount
+    namespace: authelia
+
+---
diff --git a/example/kube/ingress-controller/service.yml b/example/kube/ingress-controller/service.yml
index 6149ce6f1..ffb6547d3 100644
--- a/example/kube/ingress-controller/service.yml
+++ b/example/kube/ingress-controller/service.yml
@@ -2,17 +2,16 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: nginx-ingress-controller-external-service
+  name: nginx-ingress-controller-service
   namespace: authelia
   labels:
-    k8s-app: nginx-ingress-controller-external
+    k8s-app: nginx-ingress-controller
 spec:
   selector:
-    k8s-app: nginx-ingress-controller-external
+    k8s-app: nginx-ingress-controller
+  type: NodePort
   ports:
     - port: 80
       name: http
     - port: 443
       name: https
-  externalIPs:
-    - 192.168.39.26
diff --git a/example/kube/mailcatcher/deployment.yml b/example/kube/mail/deployment.yml
similarity index 100%
rename from example/kube/mailcatcher/deployment.yml
rename to example/kube/mail/deployment.yml
diff --git a/example/kube/mailcatcher/ingress.yml b/example/kube/mail/ingress.yml
similarity index 76%
rename from example/kube/mailcatcher/ingress.yml
rename to example/kube/mail/ingress.yml
index ce8131def..5de208739 100644
--- a/example/kube/mailcatcher/ingress.yml
+++ b/example/kube/mail/ingress.yml
@@ -7,8 +7,12 @@ metadata:
   annotations:
     kubernetes.io/ingress.class: "nginx"
 spec:
+  tls:
+  - secretName: mail-tls
+    hosts:
+    - mail.example.com
   rules:
-  - host: mail.kube.example.com
+  - host: mail.example.com
     http:
       paths:
       - path: /
diff --git a/example/kube/mailcatcher/service.yml b/example/kube/mail/service.yml
similarity index 100%
rename from example/kube/mailcatcher/service.yml
rename to example/kube/mail/service.yml
diff --git a/example/kube/test.yml b/example/kube/test.yml
new file mode 100644
index 000000000..e19f9e757
--- /dev/null
+++ b/example/kube/test.yml
@@ -0,0 +1,22 @@
+---
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+  name: test-app1
+  namespace: kube-public
+  labels:
+    app: test-app1
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: test-app1
+  template:
+    metadata:
+      labels:
+        app: test-app1
+    spec:
+      containers:
+      - name: test-app1
+        image: clems4ever/authelia:kube
+        imagePullPolicy: Never
diff --git a/package-lock.json b/package-lock.json
index ad8042343..2a435d61a 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -260,14 +260,14 @@
       }
     },
     "@types/connect-redis": {
-      "version": "0.0.7",
-      "resolved": "https://registry.npmjs.org/@types/connect-redis/-/connect-redis-0.0.7.tgz",
-      "integrity": "sha512-ui1DPnJxqgBhqPj0XTVyPkzffEX9DIGkb2nT2mzZ0OlsKn/u9BvRvKmjpi4Vydf2uw3z/D4UmMH4KMkilySqvw==",
+      "version": "0.0.9",
+      "resolved": "https://registry.npmjs.org/@types/connect-redis/-/connect-redis-0.0.9.tgz",
+      "integrity": "sha512-LdAbC9EnQkHLMgeV0EKufPbqaRKfsAxgdWaYnDtQOKuJV2U4JpFE2EU4yKJ3G2FjVvNXyzO6rcaBBjPBztGTzg==",
       "dev": true,
       "requires": {
         "@types/express": "4.11.1",
         "@types/express-session": "1.15.8",
-        "@types/redis": "2.8.6"
+        "@types/redis": "2.8.11"
       }
     },
     "@types/ejs": {
@@ -495,12 +495,11 @@
       "dev": true
     },
     "@types/redis": {
-      "version": "2.8.6",
-      "resolved": "https://registry.npmjs.org/@types/redis/-/redis-2.8.6.tgz",
-      "integrity": "sha512-kaSI4XQwCfJtPiuyCXvLxCaw2N0fMZesdob3Jh01W20vNFct+3lfvJ/4yCJxbSopXOBOzpg+pGxkW6uWZrPZHA==",
+      "version": "2.8.11",
+      "resolved": "https://registry.npmjs.org/@types/redis/-/redis-2.8.11.tgz",
+      "integrity": "sha512-i0AqDzjX0FlO+npqkhl1etZw1fGnJc0IeHUHKAf/V7Drk+rDJI634GE9Lwh8aj/2ahuW6jHdWX4ZnyNofWXKrw==",
       "dev": true,
       "requires": {
-        "@types/events": "1.2.0",
         "@types/node": "10.0.3"
       }
     },
@@ -569,7 +568,8 @@
     "@types/url-parse": {
       "version": "1.4.2",
       "resolved": "https://registry.npmjs.org/@types/url-parse/-/url-parse-1.4.2.tgz",
-      "integrity": "sha512-Z25Ef2iI0lkiBAoe8qATRHQWy+BWFWuWasD6HB5prsWx2QjLmB/ngXv8v9dePw2jDwdSvET4/6J5HxmeqhslmQ=="
+      "integrity": "sha512-Z25Ef2iI0lkiBAoe8qATRHQWy+BWFWuWasD6HB5prsWx2QjLmB/ngXv8v9dePw2jDwdSvET4/6J5HxmeqhslmQ==",
+      "dev": true
     },
     "@types/winston": {
       "version": "2.3.9",
@@ -1745,21 +1745,26 @@
       }
     },
     "connect-redis": {
-      "version": "3.3.3",
-      "resolved": "https://registry.npmjs.org/connect-redis/-/connect-redis-3.3.3.tgz",
-      "integrity": "sha512-rpWsW2uk1uOe/ccY/JvW+RiLrhZm7auIx8z4yR+KXemFTIhJyD58jXiJbI0E/fZCnybawpdSqOZ+6/ah6aBeyg==",
+      "version": "3.4.1",
+      "resolved": "https://registry.npmjs.org/connect-redis/-/connect-redis-3.4.1.tgz",
+      "integrity": "sha512-oXNcpLg/PJ6G4gbhyGwrQK9mUQTKYa2aEnOH9kWIxbNUjIFPqUmzz75RdLp5JTPSjrBVcz+9ll4sSxfvlW0ZLA==",
       "requires": {
-        "debug": "3.1.0",
+        "debug": "4.1.1",
         "redis": "2.8.0"
       },
       "dependencies": {
         "debug": {
-          "version": "3.1.0",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-3.1.0.tgz",
-          "integrity": "sha512-OX8XqP7/1a9cqkxYw2yXss15f26NKWBpDXQd0/uK/KPqdQhxbPa994hnzjcE2VqQpDslf55723cKPUOGSmMY3g==",
+          "version": "4.1.1",
+          "resolved": "https://registry.npmjs.org/debug/-/debug-4.1.1.tgz",
+          "integrity": "sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw==",
           "requires": {
-            "ms": "2.0.0"
+            "ms": "2.1.1"
           }
+        },
+        "ms": {
+          "version": "2.1.1",
+          "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.1.tgz",
+          "integrity": "sha512-tgp+dl5cGk28utYktBsrFqA7HKgrhgPsg6Z/EfhWI4gl1Hwq8B/GmY/0oXZ6nF8hDVesS/FpnYaD/kOWhYQvyg=="
         }
       }
     },
@@ -7489,14 +7494,14 @@
       "integrity": "sha512-M1OkonEQwtRmZv4tEWF2VgpG0JWJ8Fv1PhlgT5+B+uNq2cA3Rt1Yt/ryoR+vQNOQcIEgdCdfH0jr3bDpihAw1A==",
       "requires": {
         "double-ended-queue": "2.1.0-0",
-        "redis-commands": "1.3.5",
+        "redis-commands": "1.4.0",
         "redis-parser": "2.6.0"
       }
     },
     "redis-commands": {
-      "version": "1.3.5",
-      "resolved": "https://registry.npmjs.org/redis-commands/-/redis-commands-1.3.5.tgz",
-      "integrity": "sha512-foGF8u6MXGFF++1TZVC6icGXuMYPftKXt1FBT2vrfU9ZATNtZJ8duRC5d1lEfE8hyVe3jhelHGB91oB7I6qLsA=="
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/redis-commands/-/redis-commands-1.4.0.tgz",
+      "integrity": "sha512-cu8EF+MtkwI4DLIT0x9P8qNTLFhQD4jLfxLR0cCNkeGzs87FN6879JOJwNQR/1zD7aSYNbU0hgsV9zGY71Itvw=="
     },
     "redis-parser": {
       "version": "2.6.0",
diff --git a/package.json b/package.json
index d11dcf9f2..eebb268f1 100644
--- a/package.json
+++ b/package.json
@@ -31,11 +31,10 @@
     "title": "Authelia API documentation"
   },
   "dependencies": {
-    "@types/url-parse": "^1.4.2",
     "ajv": "^6.3.0",
     "bluebird": "^3.5.0",
     "body-parser": "^1.15.2",
-    "connect-redis": "^3.3.0",
+    "connect-redis": "^3.4.1",
     "crypt3": "^1.0.0",
     "ejs": "^2.5.5",
     "express": "^4.14.0",
@@ -51,7 +50,6 @@
     "object-path": "^0.11.3",
     "randomatic": "^3.1.0",
     "randomstring": "^1.1.5",
-    "redis": "^2.8.0",
     "speakeasy": "^2.0.0",
     "u2f": "^0.1.2",
     "u2f-api": "^1.0.7",
@@ -64,7 +62,7 @@
     "@types/body-parser": "^1.16.3",
     "@types/chokidar": "^1.7.5",
     "@types/commander": "^2.12.2",
-    "@types/connect-redis": "0.0.7",
+    "@types/connect-redis": "0.0.9",
     "@types/ejs": "^2.3.33",
     "@types/express": "^4.0.35",
     "@types/express-session": "1.15.8",
@@ -81,13 +79,13 @@
     "@types/object-path": "^0.9.28",
     "@types/query-string": "^5.1.0",
     "@types/randomstring": "^1.1.5",
-    "@types/redis": "^2.6.0",
     "@types/request": "^2.0.5",
     "@types/request-promise": "^4.1.38",
     "@types/selenium-webdriver": "^3.0.4",
     "@types/sinon": "^4.3.0",
     "@types/speakeasy": "^2.0.2",
     "@types/tmp": "0.0.33",
+    "@types/url-parse": "^1.4.2",
     "@types/winston": "^2.3.2",
     "@types/yamljs": "^0.2.30",
     "apidoc": "^0.17.6",
diff --git a/scripts/authelia-scripts b/scripts/authelia-scripts
index 3f81c58ab..fa20ba4c5 100755
--- a/scripts/authelia-scripts
+++ b/scripts/authelia-scripts
@@ -5,6 +5,7 @@ var program = require('commander');
 program
   .version('0.0.1')
 
+  .command('bootstrap', 'Prepare some containers for development.')
   .command('suites', 'Run Authelia in specific environments.')
   .command('serve', 'Run Authelia with a customized configuration.')
   .command('build', 'Build production version of Authelia from source.')
diff --git a/scripts/authelia-scripts-bootstrap b/scripts/authelia-scripts-bootstrap
new file mode 100755
index 000000000..d2832c21a
--- /dev/null
+++ b/scripts/authelia-scripts-bootstrap
@@ -0,0 +1,24 @@
+#!/usr/bin/env node
+
+var { exec } = require('./utils/exec');
+var fs = require('fs');
+
+async function main() {
+  console.log('Build authelia-example-backend docker image.')
+  await exec('docker build -t authelia-example-backend example/compose/nginx/backend');
+
+  if (!fs.existsSync('/tmp/kind')) {
+    console.log('Install Kind for spawning a Kubernetes cluster.');
+    await exec('wget https://github.com/clems4ever/kind/releases/download/0.1.0-cmic1/kind-linux-amd64 -O /tmp/kind && chmod +x /tmp/kind');  
+  }
+
+  if (!fs.existsSync('/tmp/kubectl')) {
+    console.log('Install Kubectl for interacting with Kubernetes.');
+    await exec('wget https://storage.googleapis.com/kubernetes-release/release/v1.13.0/bin/linux/amd64/kubectl -O /tmp/kubectl && chmod +x /tmp/kubectl');
+  }
+}
+
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+})
\ No newline at end of file
diff --git a/scripts/authelia-scripts-docker-build b/scripts/authelia-scripts-docker-build
index a221c6863..a351339b9 100755
--- a/scripts/authelia-scripts-docker-build
+++ b/scripts/authelia-scripts-docker-build
@@ -1,6 +1,14 @@
 #!/usr/bin/env node
 
 var { exec } = require('./utils/exec');
-var { IMAGE_NAME } = require('./utils/docker');
+var { IMAGE_NAME, DOCKERHUB_IMAGE_NAME } = require('./utils/docker');
 
-exec(`docker build -t ${IMAGE_NAME} .`);
\ No newline at end of file
+async function main() {
+  await exec(`docker build -t ${IMAGE_NAME}:dist .`);
+  await exec(`docker tag ${IMAGE_NAME}:dist ${DOCKERHUB_IMAGE_NAME}`);
+}
+
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+})
\ No newline at end of file
diff --git a/scripts/authelia-scripts-docker-publish b/scripts/authelia-scripts-docker-publish
index 81c144191..174636c73 100755
--- a/scripts/authelia-scripts-docker-publish
+++ b/scripts/authelia-scripts-docker-publish
@@ -15,8 +15,9 @@ function login_to_dockerhub {
 
 function deploy_on_dockerhub {
   TAG=$1
-  IMAGE_NAME=clems4ever/authelia
-  IMAGE_WITH_TAG=$IMAGE_NAME:$TAG
+  IMAGE_NAME=authelia:dist
+  DOCKERHUB_IMAGE_NAME=clems4ever/authelia
+  IMAGE_WITH_TAG=$DOCKERHUB_IMAGE_NAME:$TAG
 
   echo "==========================================================="
   echo "Docker image $IMAGE_WITH_TAG will be deployed on Dockerhub."
@@ -27,12 +28,10 @@ function deploy_on_dockerhub {
 }
 
 
-if [ "$TRAVIS_BRANCH" == "master" ]; then
+if [ "$TRAVIS_BRANCH" == "master" ] && [ "$TRAVIS_PULL_REQUEST" == "false" ]; then
+  echo "Building on master branch"
   login_to_dockerhub
   deploy_on_dockerhub master
-elif [ "$TRAVIS_BRANCH" == "develop" ]; then
-  login_to_dockerhub
-  deploy_on_dockerhub develop
 elif [ ! -z "$TRAVIS_TAG" ]; then
   login_to_dockerhub
   deploy_on_dockerhub $TRAVIS_TAG
diff --git a/scripts/authelia-scripts-serve b/scripts/authelia-scripts-serve
index 13c290ea3..220922a76 100755
--- a/scripts/authelia-scripts-serve
+++ b/scripts/authelia-scripts-serve
@@ -2,7 +2,6 @@
 
 var program = require('commander');
 var spawn = require('child_process').spawn;
-var fs = require('fs');
 
 let config;
 
diff --git a/scripts/authelia-scripts-suites-start b/scripts/authelia-scripts-suites-start
index 1fdc85a97..4faf9aa6e 100755
--- a/scripts/authelia-scripts-suites-start
+++ b/scripts/authelia-scripts-suites-start
@@ -53,7 +53,8 @@ async function main() {
   });
 }
 
-main().catch((err) => {
-  console.error(err);
-  process.exit(1)
-});
\ No newline at end of file
+main()
+  .catch((err) => {
+    console.error(err);
+    process.exit(1)
+  });
\ No newline at end of file
diff --git a/scripts/authelia-scripts-suites-test b/scripts/authelia-scripts-suites-test
index 11946260a..6e35e2fef 100755
--- a/scripts/authelia-scripts-suites-test
+++ b/scripts/authelia-scripts-suites-test
@@ -3,6 +3,7 @@
 var program = require('commander');
 var spawn = require('child_process').spawn;
 var fs = require('fs');
+var ListSuites = require('./utils/ListSuites');
 
 let suite;
 
@@ -10,52 +11,108 @@ program
   .description('Run the tests for the current suite or the provided one.')
   .arguments('[suite]')
   .option('--headless', 'Run in headless mode.')
+  .option('--forbid-only', 'Forbid only and pending filters.')
   .action((suiteArg) => suite = suiteArg)
   .parse(process.argv);
 
-let args = [];
+async function runTests(suite, withEnv) {
+  return new Promise((resolve, reject) => {
+    let mochaArgs = ['--exit', '--colors', '--require', 'ts-node/register', 'test/suites/' + suite + '/test.ts']
+    if (program.forbidOnly) {
+      mochaArgs = ['--forbid-only', '--forbid-pending'] + mochaArgs;
+    }
+  
+    const mochaCommand = './node_modules/.bin/mocha ' + mochaArgs.join(' ');
+    let testProcess;
+    if (!withEnv) {
+      testProcess = spawn(mochaCommand, {
+        shell: true,
+        env: {
+          ...process.env,
+          TS_NODE_PROJECT: 'test/tsconfig.json',
+          HEADLESS: (program.headless) ? 'y' : 'n'
+        }
+      });
+    } else {
+      testProcess = spawn('./node_modules/.bin/ts-node',
+        ['-P', 'test/tsconfig.json', '--', './scripts/run-environment.ts', suite, mochaCommand], {
+        env: {
+          ...process.env,
+          TS_NODE_PROJECT: 'test/tsconfig.json',
+          HEADLESS: (program.headless) ? 'y' : 'n'
+        }
+      });
+    }
+  
+    testProcess.stdout.pipe(process.stdout);
+    testProcess.stderr.pipe(process.stderr);
+  
+    testProcess.on('exit', function(statusCode) {
+      if (statusCode == 0) resolve();
+      reject(new Error('Tests exited with status ' + statusCode));
+    });
+  });
+}
+
+async function runAllTests() {
+  const suites = ListSuites();
+  let failure = false;
+  for(var s in suites) {
+    try {
+      console.log('Running suite %s', suites[s]);
+      await runTests(suites[s], true);
+    } catch (e) {
+      console.error(e);
+      failure = true;
+    }
+  }
+  if (failure) {
+    throw new Error('Some tests failed.');
+  }
+}
+
 const ENVIRONMENT_FILENAME = '.suite'; // This file is created by the start command.
+const suiteFileExists = fs.existsSync(ENVIRONMENT_FILENAME);
 
 if (suite) {
-  if (fs.existsSync(ENVIRONMENT_FILENAME) && suite != fs.readFileSync(ENVIRONMENT_FILENAME)) {
+  if (suiteFileExists && suite != fs.readFileSync(ENVIRONMENT_FILENAME)) {
     console.error('You cannot test a suite while another one is running. If you want to test the current suite, ' +
                   'do not provide the suite argument. Otherwise, stop the current suite and run the command again.');
     process.exit(1);
   }
   console.log('Suite %s provided. Running test related to this suite against built version of Authelia.', suite);
-  args.push('test/suites/' + suite + '/test.ts');
+  runTests(suite, !suiteFileExists)
+    .catch((err) => {
+      console.error(err);
+      process.exit(1);
+    });
 }
-else if (fs.existsSync(ENVIRONMENT_FILENAME)) {
+else if (suiteFileExists) {
   suite = fs.readFileSync(ENVIRONMENT_FILENAME);
   console.log('Suite %s detected from dev env. Running test related to this suite.', suite);
-  args.push('test/suites/' + suite + '/test.ts');
+  runTests(suite, false)
+    .catch((err) => {
+      console.error(err);
+      process.exit(1);
+    });
 }
 else {
   console.log('No suite provided therefore all suites will be tested.');
-  args.push('test/suites/**/test.ts');
+  runAllTests(suite)
+    .catch((err) => {
+      console.error(err);
+      process.exit(1);
+    });
 }
 
-mocha = spawn('./node_modules/.bin/mocha', ['--forbid-only', '--forbid-pending', '--exit', '--colors', '--require', 'ts-node/register', ...args], {
-  env: {
-    ...process.env,
-    TS_NODE_PROJECT: 'test/tsconfig.json',
-    HEADLESS: (program.headless) ? 'y' : 'n',
-  }
+// Sometime SIGINT is received twice, we make sure with this variable that we cleanup
+// only once.
+var alreadyCleaningUp = false;
+
+// Properly cleanup server and client if ctrl-c is hit
+process.on('SIGINT', function() {
+  if (alreadyCleaningUp) return;
+  alreadyCleaningUp = true;
+  console.log('Cleanup procedure is running...');
 });
 
-mocha.stdout.pipe(process.stdout);
-mocha.stderr.pipe(process.stderr);
-
-mocha.on('exit', function(statusCode) {
-  if (statusCode != 0) {
-    console.error("The tests failed... Mocha exited with status code " + statusCode);
-    fs.readFile('/tmp/authelia-server.log', function(err, data) {
-      if (err) {
-        console.error(err);
-        return;
-      }
-      console.log(data.toString('utf-8'));
-    });
-  }
-  process.exit(statusCode);
-})
diff --git a/scripts/authelia-scripts-travis b/scripts/authelia-scripts-travis
index 11e6ce615..c5d592a81 100755
--- a/scripts/authelia-scripts-travis
+++ b/scripts/authelia-scripts-travis
@@ -2,17 +2,18 @@
 
 set -e
 
-export PATH=./scripts:$PATH
+source bootstrap.sh
 
 docker --version
 docker-compose --version
 echo "node `node -v`"
 echo "npm `npm -v`"
 
+authelia-scripts bootstrap
+
 docker-compose -f docker-compose.yml \
   -f example/compose/mongo/docker-compose.yml \
   -f example/compose/redis/docker-compose.yml \
-  -f example/compose/nginx/backend/docker-compose.yml \
   -f example/compose/nginx/portal/docker-compose.yml \
   -f example/compose/smtp/docker-compose.yml \
   -f example/compose/httpbin/docker-compose.yml \
diff --git a/scripts/run-environment.ts b/scripts/run-environment.ts
index ed1655e94..33f2d9e6a 100644
--- a/scripts/run-environment.ts
+++ b/scripts/run-environment.ts
@@ -1,7 +1,9 @@
+import { exec } from './utils/exec';
 
 const userSuite = process.argv[2];
+const command = process.argv[3]; // The command to run once the env is up.
 
-var { setup, teardown } = require(`../test/suites/${userSuite}/environment`);
+var { setup, setup_timeout, teardown, teardown_timeout } = require(`../test/suites/${userSuite}/environment`);
 
 function sleep(ms: number) {
   return new Promise(resolve => setTimeout(resolve, ms));
@@ -9,32 +11,64 @@ function sleep(ms: number) {
 
 let teardownInProgress = false;
 
+async function block() {
+  while (true) {
+    await sleep(10000);
+  }
+}
+
+async function blockOrRun(cmd: string | null) {
+  if (cmd) {
+    await exec(cmd);
+  } else {
+    await block();
+  }
+}
+
 process.on('SIGINT', function() {
   if (teardownInProgress) return;
   teardownInProgress = true;
-  console.log('Tearing down environment...');
-  return teardown()
-    .then(() => {
-      process.exit(0)
-    })
-    .catch((err: Error) => {
-      console.error(err);
-      process.exit(1);
-    });
+
+  stop()
+    .then(() => process.exit(0))
+    .catch(() => process.exit(1));
 });
 
-function main() {
-  console.log('Setting up environment...');
-  return setup()
-    .then(async () => {
-      while (true) {
-        await sleep(10000);
-      }
-    })
-    .catch((err: Error) => {
-      console.error(err);
-      process.exit(1);
-    });
+async function stop() {
+  const timer = setTimeout(() => {
+    console.error('Teardown timed out...');
+    process.exit(1);
+  }, teardown_timeout);
+  console.log('>>> Tearing down environment <<<');
+  try {  
+    await teardown();
+    clearTimeout(timer);
+  } catch (err) {
+    console.error(err);
+    throw err;
+  }
 }
 
-main();
\ No newline at end of file
+async function start() {
+  const timer = setTimeout(() => {
+    console.error('Setup timed out...');
+    teardown().finally(() => process.exit(1));
+  }, setup_timeout);
+  console.log('>>> Setting up environment <<<');
+  try {
+    await setup();
+    clearTimeout(timer);
+    await blockOrRun(command);
+    if (!teardownInProgress) {
+      await stop();
+      process.exit(0);
+    }
+  }
+  catch (err) {
+    console.error(err);
+    await stop();
+    process.exit(1);
+  }
+}
+
+start();
\ No newline at end of file
diff --git a/scripts/utils/docker.js b/scripts/utils/docker.js
index 5d78bbe3f..e899665b7 100644
--- a/scripts/utils/docker.js
+++ b/scripts/utils/docker.js
@@ -1,5 +1,6 @@
 
 
 module.exports = {
-  IMAGE_NAME: 'clems4ever/authelia'
+  IMAGE_NAME: 'authelia',
+  DOCKERHUB_IMAGE_NAME: 'clems4ever/authelia'
 }
\ No newline at end of file
diff --git a/scripts/utils/exec.js b/scripts/utils/exec.js
index 82cdec729..a8af70362 100644
--- a/scripts/utils/exec.js
+++ b/scripts/utils/exec.js
@@ -2,15 +2,12 @@ var spawn = require('child_process').spawn;
 
 function exec(cmd) {
   return new Promise((resolve, reject) => {
-    const command = spawn(cmd, {
-      shell: true
-    });
+    const command = spawn(cmd, {shell: true, env: process.env});
     command.stdout.pipe(process.stdout);
     command.stderr.pipe(process.stderr);
-
     command.on('exit', function(statusCode) {
       if (statusCode != 0) {
-        reject(new Error('Exited with status ' + statusCode));
+        reject(new Error('Command \'' + cmd + '\' has exited with status ' + statusCode + '.'));
         return;
       }
       resolve();
diff --git a/server/src/lib/IdentityCheckMiddleware.ts b/server/src/lib/IdentityCheckMiddleware.ts
index ff2fadea5..0ecdd8303 100644
--- a/server/src/lib/IdentityCheckMiddleware.ts
+++ b/server/src/lib/IdentityCheckMiddleware.ts
@@ -112,7 +112,7 @@ export function post_start_validation(handler: IdentityValidable,
       })
       .then((token: string) => {
         const host = req.get("Host");
-        const link_url = util.format("https://%s%s?token=%s", host,
+        const link_url = util.format("https://%s/#%s?token=%s", host,
           handler.destinationPath(), token);
         vars.logger.info(req, "Notification sent to user \"%s\"",
           identity.userid);
diff --git a/server/src/lib/Server.ts b/server/src/lib/Server.ts
index 1a5105789..c3d54a11c 100644
--- a/server/src/lib/Server.ts
+++ b/server/src/lib/Server.ts
@@ -49,8 +49,7 @@ export default class Server {
     return ServerVariablesInitializer.initialize(
       config, this.globalLogger, this.requestLogger, deps)
       .then(function (vars: ServerVariables) {
-        Configurator.configure(config, app, vars, deps);
-        return BluebirdPromise.resolve();
+        return Configurator.configure(config, app, vars, deps);
       });
   }
 
diff --git a/server/src/lib/authorization/Authorizer.ts b/server/src/lib/authorization/Authorizer.ts
index 1d3995626..f6f9cf41e 100644
--- a/server/src/lib/authorization/Authorizer.ts
+++ b/server/src/lib/authorization/Authorizer.ts
@@ -45,11 +45,9 @@ function MatchSubject(subject: Subject) {
 }
 
 export class Authorizer implements IAuthorizer {
-  private logger: Winston;
   private readonly configuration: ACLConfiguration;
 
   constructor(configuration: ACLConfiguration, logger_: Winston) {
-    this.logger = logger_;
     this.configuration = configuration;
   }
 
diff --git a/server/src/lib/configuration/SessionConfigurationBuilder.spec.ts b/server/src/lib/configuration/SessionConfigurationBuilder.spec.ts
index d4a3093ee..1ecc3c21c 100644
--- a/server/src/lib/configuration/SessionConfigurationBuilder.spec.ts
+++ b/server/src/lib/configuration/SessionConfigurationBuilder.spec.ts
@@ -3,7 +3,6 @@ import { Configuration } from "./schema/Configuration";
 import { GlobalDependencies } from "../../../types/Dependencies";
 
 import ExpressSession = require("express-session");
-import ConnectRedis = require("connect-redis");
 import Sinon = require("sinon");
 import Assert = require("assert");
 
@@ -128,22 +127,15 @@ describe("configuration/SessionConfigurationBuilder", function () {
       password: "authelia_pass"
     };
     const RedisStoreMock = Sinon.spy();
-    const redisClient = Sinon.mock().returns({ on: Sinon.spy() });
-    const createClientStub = Sinon.stub();
+    deps.ConnectRedis = Sinon.stub().returns(RedisStoreMock);
 
-    deps.ConnectRedis = Sinon.stub().returns(RedisStoreMock) as any;
-    deps.Redis = {
-      createClient: createClientStub
-    } as any;
+    SessionConfigurationBuilder.build(configuration, deps);
 
-    createClientStub.returns(redisClient);
-
-    const options = SessionConfigurationBuilder.build(configuration, deps);
-
-    Assert(createClientStub.calledWith({
+    Assert(RedisStoreMock.calledWith({
       host: "redis.example.com",
       port: 6379,
-      password: "authelia_pass"
+      pass: "authelia_pass",
+      logErrors: true,
     }));
   });
 });
\ No newline at end of file
diff --git a/server/src/lib/configuration/SessionConfigurationBuilder.ts b/server/src/lib/configuration/SessionConfigurationBuilder.ts
index 6ce643d9d..6f621b317 100644
--- a/server/src/lib/configuration/SessionConfigurationBuilder.ts
+++ b/server/src/lib/configuration/SessionConfigurationBuilder.ts
@@ -1,12 +1,8 @@
 import ExpressSession = require("express-session");
-import Redis = require("redis");
-
 import { Configuration } from "./schema/Configuration";
 import { GlobalDependencies } from "../../../types/Dependencies";
-import { RedisStoreOptions } from "connect-redis";
 
 export class SessionConfigurationBuilder {
-
   static build(configuration: Configuration, deps: GlobalDependencies): ExpressSession.SessionOptions {
     const sessionOptions: ExpressSession.SessionOptions = {
       name: configuration.session.name,
@@ -22,30 +18,13 @@ export class SessionConfigurationBuilder {
     };
 
     if (configuration.session.redis) {
-      let redisOptions;
-      const options: Redis.ClientOpts = {
+      const RedisStore = deps.ConnectRedis(deps.session);
+      sessionOptions.store = new RedisStore({
         host: configuration.session.redis.host,
-        port: configuration.session.redis.port
-      };
-
-      if (configuration.session.redis.password) {
-        options["password"] = configuration.session.redis.password;
-      }
-      const client = deps.Redis.createClient(options);
-
-      client.on("error", function (err: Error) {
-        console.error("Redis error:", err);
-      });
-
-      redisOptions = {
-        client: client,
+        port: configuration.session.redis.port,
+        pass: configuration.session.redis.password,
         logErrors: true
-      };
-
-      if (redisOptions) {
-        const RedisStore = deps.ConnectRedis(deps.session);
-        sessionOptions.store = new RedisStore(redisOptions);
-      }
+      });
     }
     return sessionOptions;
   }
diff --git a/server/src/lib/routes/firstfactor/post.spec.ts b/server/src/lib/routes/firstfactor/post.spec.ts
index 71244e5ce..fb2a7f3e8 100644
--- a/server/src/lib/routes/firstfactor/post.spec.ts
+++ b/server/src/lib/routes/firstfactor/post.spec.ts
@@ -1,5 +1,3 @@
-
-import Sinon = require("sinon");
 import BluebirdPromise = require("bluebird");
 import Assert = require("assert");
 import FirstFactorPost = require("./post");
diff --git a/server/src/lib/routes/firstfactor/post.ts b/server/src/lib/routes/firstfactor/post.ts
index 7f252e6c2..3dcb4dd2d 100644
--- a/server/src/lib/routes/firstfactor/post.ts
+++ b/server/src/lib/routes/firstfactor/post.ts
@@ -14,6 +14,8 @@ import { URLDecomposer } from "../..//utils/URLDecomposer";
 import { Object } from "../../../lib/authorization/Object";
 import { Subject } from "../../../lib/authorization/Subject";
 import AuthenticationError from "../../../lib/authentication/AuthenticationError";
+import IsRedirectionSafe from "../../../lib/utils/IsRedirectionSafe";
+import * as URLParse from "url-parse";
 
 export default function (vars: ServerVariables) {
   return function (req: express.Request, res: express.Response)
@@ -61,7 +63,7 @@ export default function (vars: ServerVariables) {
         vars.regulator.mark(username, true);
       })
       .then(function() {
-        const targetUrl = ObjectPath.get(req, "headers.x-target-url", undefined);
+        const targetUrl = ObjectPath.get<Express.Request, string>(req, "headers.x-target-url", undefined);
 
         if (!targetUrl) {
           res.status(204);
@@ -83,10 +85,13 @@ export default function (vars: ServerVariables) {
 
           const authorizationLevel = vars.authorizer.authorization(resObject, subject);
           if (authorizationLevel <= AuthorizationLevel.ONE_FACTOR) {
-            res.json({
-              redirect: targetUrl
-            });
-            return BluebirdPromise.resolve();
+            if (IsRedirectionSafe(vars, authSession, new URLParse(targetUrl))) {
+              res.json({redirect: targetUrl});
+              return BluebirdPromise.resolve();
+            } else {
+              res.json({error: "You're authenticated but cannot be automatically redirected to an unsafe URL."});
+              return BluebirdPromise.resolve();
+            }
           }
         }
 
diff --git a/server/src/lib/routes/redirect/post.ts b/server/src/lib/routes/redirect/post.ts
deleted file mode 100644
index ab001a9b6..000000000
--- a/server/src/lib/routes/redirect/post.ts
+++ /dev/null
@@ -1,31 +0,0 @@
-import * as Express from "express";
-import { ServerVariables } from "../../ServerVariables";
-import { AuthenticationSessionHandler } from "../../AuthenticationSessionHandler";
-import { Level } from "../../authentication/Level";
-import * as URLParse from "url-parse";
-
-export default function (vars: ServerVariables) {
-  return function (req: Express.Request, res: Express.Response) {
-    if (!req.body.url) {
-      res.status(400);
-      vars.logger.error(req, "Provide url for verification to be done.");
-      return;
-    }
-
-    const authSession = AuthenticationSessionHandler.get(req, vars.logger);
-    const url = new URLParse(req.body.url);
-
-    const urlInDomain = url.hostname.endsWith(vars.config.session.domain);
-    vars.logger.debug(req, "Check domain %s is in url %s.", vars.config.session.domain, url.hostname);
-    const sufficientPermissions = authSession.authentication_level >= Level.TWO_FACTOR;
-
-    vars.logger.debug(req, "Check that protocol %s is HTTPS.", url.protocol);
-    const protocolIsHttps = url.protocol === "https:";
-
-    if (sufficientPermissions && urlInDomain && protocolIsHttps) {
-      res.send("OK");
-      return;
-    }
-    res.send("NOK");
-  };
-}
diff --git a/server/src/lib/routes/secondfactor/redirect.ts b/server/src/lib/routes/secondfactor/redirect.ts
index 75132f960..e0af16cc0 100644
--- a/server/src/lib/routes/secondfactor/redirect.ts
+++ b/server/src/lib/routes/secondfactor/redirect.ts
@@ -1,24 +1,36 @@
 
 import express = require("express");
+import * as URLParse from "url-parse";
+import * as ObjectPath from "object-path";
 import { ServerVariables } from "../../ServerVariables";
 import BluebirdPromise = require("bluebird");
 import ErrorReplies = require("../../ErrorReplies");
 import UserMessages = require("../../../../../shared/UserMessages");
-import { RedirectionMessage } from "../../../../../shared/RedirectionMessage";
+import IsRedirectionSafe from "../../../lib/utils/IsRedirectionSafe";
+import { AuthenticationSessionHandler } from "../../../lib/AuthenticationSessionHandler";
+
 
 export default function (vars: ServerVariables) {
   return function (req: express.Request, res: express.Response)
     : BluebirdPromise<void> {
 
     return new BluebirdPromise<void>(function (resolve, reject) {
-      let redirectUrl: string = "/";
-      if (vars.config.default_redirection_url) {
+      let redirectUrl: string = ObjectPath.get<Express.Request, string>(
+        req, "headers.x-target-url", undefined);
+
+      if (!redirectUrl && vars.config.default_redirection_url) {
         redirectUrl = vars.config.default_redirection_url;
       }
-      vars.logger.debug(req, "Request redirection to \"%s\".", redirectUrl);
-      res.json({
-        redirect: redirectUrl
-      } as RedirectionMessage);
+
+      const authSession = AuthenticationSessionHandler.get(req, vars.logger);
+      if ((redirectUrl && !IsRedirectionSafe(vars, authSession, new URLParse(redirectUrl)))
+          || !redirectUrl) {
+        res.status(204);
+        res.send();
+        return resolve();
+      }
+
+      res.json({redirect: redirectUrl});
       return resolve();
     })
       .catch(ErrorReplies.replyWithError200(req, res, vars.logger,
diff --git a/server/src/lib/routes/secondfactor/u2f/sign/post.ts b/server/src/lib/routes/secondfactor/u2f/sign/post.ts
index 69eda0a39..2b70bf30a 100644
--- a/server/src/lib/routes/secondfactor/u2f/sign/post.ts
+++ b/server/src/lib/routes/secondfactor/u2f/sign/post.ts
@@ -4,7 +4,7 @@ import BluebirdPromise = require("bluebird");
 import express = require("express");
 import { U2FRegistrationDocument } from "../../../../storage/U2FRegistrationDocument";
 import U2f = require("u2f");
-import redirect from "../../redirect";
+import Redirect from "../../redirect";
 import ErrorReplies = require("../../../../ErrorReplies");
 import { ServerVariables } from "../../../../ServerVariables";
 import { AuthenticationSessionHandler } from "../../../../AuthenticationSessionHandler";
@@ -41,7 +41,7 @@ export default function (vars: ServerVariables) {
           return BluebirdPromise.reject(new Error("Error while signing"));
         vars.logger.info(req, "Successful authentication");
         authSession.authentication_level = Level.TWO_FACTOR;
-        redirect(vars)(req, res);
+        Redirect(vars)(req, res);
         return BluebirdPromise.resolve();
       })
       .catch(ErrorReplies.replyWithError200(req, res, vars.logger,
diff --git a/server/src/lib/utils/IsRedirectionSafe.ts b/server/src/lib/utils/IsRedirectionSafe.ts
new file mode 100644
index 000000000..8500b1bd7
--- /dev/null
+++ b/server/src/lib/utils/IsRedirectionSafe.ts
@@ -0,0 +1,14 @@
+import { ServerVariables } from "../ServerVariables";
+import { Level } from "../authentication/Level";
+import * as URLParse from "url-parse";
+import { AuthenticationSession } from "AuthenticationSession";
+
+export default function IsRedirectionSafe(
+  vars: ServerVariables,
+  authSession: AuthenticationSession,
+  url: URLParse): boolean {
+
+  const urlInDomain = url.hostname.endsWith(vars.config.session.domain);
+  const protocolIsHttps = url.protocol === "https:";
+  return urlInDomain && protocolIsHttps;
+}
diff --git a/server/src/lib/utils/SafeRedirection.spec.ts b/server/src/lib/utils/SafeRedirection.spec.ts
deleted file mode 100644
index 4126949fd..000000000
--- a/server/src/lib/utils/SafeRedirection.spec.ts
+++ /dev/null
@@ -1,33 +0,0 @@
-import Assert = require("assert");
-import Sinon = require("sinon");
-import { SafeRedirector } from "./SafeRedirection";
-
-describe("web_server/middlewares/SafeRedirection", () => {
-  describe("Url is in protected domain", () => {
-    before(() => {
-      this.redirector = new SafeRedirector("example.com");
-      this.res = {redirect: Sinon.stub()};
-    });
-
-    it("should redirect to provided url", () => {
-      this.redirector.redirectOrElse(this.res,
-        "https://mysubdomain.example.com:8080/abc",
-        "https://authelia.example.com");
-      Assert(this.res.redirect.calledWith("https://mysubdomain.example.com:8080/abc"));
-    });
-
-    it("should redirect to default url when wrong domain", () => {
-      this.redirector.redirectOrElse(this.res,
-        "https://mysubdomain.domain.rtf:8080/abc",
-        "https://authelia.example.com");
-      Assert(this.res.redirect.calledWith("https://authelia.example.com"));
-    });
-
-    it("should redirect to default url when not terminating by domain", () => {
-      this.redirector.redirectOrElse(this.res,
-        "https://mysubdomain.example.com.rtf:8080/abc",
-        "https://authelia.example.com");
-      Assert(this.res.redirect.calledWith("https://authelia.example.com"));
-    });
-  });
-});
\ No newline at end of file
diff --git a/server/src/lib/utils/SafeRedirection.ts b/server/src/lib/utils/SafeRedirection.ts
deleted file mode 100644
index 0a2e70488..000000000
--- a/server/src/lib/utils/SafeRedirection.ts
+++ /dev/null
@@ -1,21 +0,0 @@
-import Express = require("express");
-import { BelongToDomain } from "../../../../shared/BelongToDomain";
-
-
-export class SafeRedirector {
-  private domain: string;
-
-  constructor(domain: string) {
-    this.domain = domain;
-  }
-
-  redirectOrElse(
-    res: Express.Response,
-    url: string,
-    defaultUrl: string): void {
-    if (BelongToDomain(url, this.domain)) {
-        res.redirect(url);
-      }
-      res.redirect(defaultUrl);
-  }
-}
\ No newline at end of file
diff --git a/server/src/lib/web_server/Configurator.ts b/server/src/lib/web_server/Configurator.ts
index be2d2acad..93ffd8ab0 100644
--- a/server/src/lib/web_server/Configurator.ts
+++ b/server/src/lib/web_server/Configurator.ts
@@ -34,6 +34,12 @@ export class Configurator {
     app.disable(X_POWERED_BY);
     app.enable(TRUST_PROXY);
     app.use(Helmet());
+    app.use(function (req, res, next) {
+      if (!req.session) {
+        return next(new Error("No session available."));
+      }
+      next();
+    });
 
     RestApi.setup(app, vars);
   }
diff --git a/server/src/lib/web_server/RestApi.ts b/server/src/lib/web_server/RestApi.ts
index de17f3655..1a6ab7255 100644
--- a/server/src/lib/web_server/RestApi.ts
+++ b/server/src/lib/web_server/RestApi.ts
@@ -3,7 +3,6 @@ import Express = require("express");
 import FirstFactorPost = require("../routes/firstfactor/post");
 import LogoutPost from "../routes/logout/post";
 import StateGet from "../routes/state/get";
-import RedirectPost from "../routes/redirect/post";
 import VerifyGet = require("../routes/verify/get");
 import TOTPSignGet = require("../routes/secondfactor/totp/sign/post");
 
@@ -87,7 +86,6 @@ function setupResetPassword(app: Express.Application, vars: ServerVariables) {
 export class RestApi {
   static setup(app: Express.Application, vars: ServerVariables): void {
     app.get(Endpoints.STATE_GET, StateGet(vars));
-    app.post(Endpoints.REDIRECT_POST, RedirectPost(vars));
 
     app.post(Endpoints.LOGOUT_POST, LogoutPost(vars));
 
diff --git a/shared/DomainExtractor.spec.ts b/shared/DomainExtractor.spec.ts
index 9df525b55..c1ba04154 100644
--- a/shared/DomainExtractor.spec.ts
+++ b/shared/DomainExtractor.spec.ts
@@ -25,8 +25,8 @@ describe.only("shared/DomainExtractor", function () {
       const domain1 = DomainExtractor.fromUrl("https://login.example.com:8080/?rd=https://public.example.com:8080/");
       Assert.equal(domain1, "login.example.com");
 
-      const domain2 = DomainExtractor.fromUrl("https://single_factor.example.com:8080/secret.html");
-      Assert.equal(domain2, "single_factor.example.com");
+      const domain2 = DomainExtractor.fromUrl("https://singlefactor.example.com:8080/secret.html");
+      Assert.equal(domain2, "singlefactor.example.com");
     });
   });
 });
\ No newline at end of file
diff --git a/shared/api.ts b/shared/api.ts
index dacb04f6d..18b1b6ee6 100644
--- a/shared/api.ts
+++ b/shared/api.ts
@@ -285,19 +285,4 @@ export const VERIFY_GET = "/api/verify";
  *
  * @apiDescription Resets the session to logout the user.
  */
-export const LOGOUT_POST = "/api/logout";
-
-/**
- * @api {post} /api/redirect Url redirection checking endpoint
- * @apiName Redirect
- * @apiGroup Authentication
- * @apiVersion 1.0.0
- * @apiDescription Check if the user can be redirected to the url provided.
- * The level of permissions for this user are checked and the url must be
- * in the domain protected by authelia.
- *
- * @apiSuccess (Success 200)
- *
- * @apiDescription Resets the session to logout the user.
- */
-export const REDIRECT_POST = "/api/redirect";
\ No newline at end of file
+export const LOGOUT_POST = "/api/logout";
\ No newline at end of file
diff --git a/test/helpers/ClickOn.ts b/test/helpers/ClickOn.ts
index 09b5935d6..75b0b1afd 100644
--- a/test/helpers/ClickOn.ts
+++ b/test/helpers/ClickOn.ts
@@ -1,7 +1,7 @@
 import SeleniumWebdriver, { WebDriver, Locator } from "selenium-webdriver";
 
-export default async function(driver: WebDriver, locator: Locator) {
+export default async function(driver: WebDriver, locator: Locator, timeout: number = 5000) {
   const el = await driver.wait(
-    SeleniumWebdriver.until.elementLocated(locator), 5000);
+    SeleniumWebdriver.until.elementLocated(locator), timeout);
   await el.click();
 };
\ No newline at end of file
diff --git a/test/helpers/ClickOnLink.ts b/test/helpers/ClickOnLink.ts
index ec9d7bedc..50e056531 100644
--- a/test/helpers/ClickOnLink.ts
+++ b/test/helpers/ClickOnLink.ts
@@ -1,8 +1,8 @@
 import SeleniumWebdriver, { WebDriver } from "selenium-webdriver";
 
-export default async function(driver: WebDriver, linkText: string) {
+export default async function(driver: WebDriver, linkText: string, timeout: number = 5000) {
   const element = await driver.wait(
     SeleniumWebdriver.until.elementLocated(
-      SeleniumWebdriver.By.linkText(linkText)), 5000)
+      SeleniumWebdriver.By.linkText(linkText)), timeout)
   await element.click();
 };
\ No newline at end of file
diff --git a/test/helpers/FillField.ts b/test/helpers/FillField.ts
index 80566b7c6..c02594745 100644
--- a/test/helpers/FillField.ts
+++ b/test/helpers/FillField.ts
@@ -1,9 +1,9 @@
 import SeleniumWebdriver, { WebDriver } from "selenium-webdriver";
 
-export default async function(driver: WebDriver, fieldName: string, text: string) {
+export default async function(driver: WebDriver, fieldName: string, text: string, timeout: number = 5000) {
   const element = await driver.wait(
     SeleniumWebdriver.until.elementLocated(
-      SeleniumWebdriver.By.name(fieldName)), 5000)
+      SeleniumWebdriver.By.name(fieldName)), timeout)
 
   await element.sendKeys(text);
 };
\ No newline at end of file
diff --git a/test/helpers/FillLoginPageAndClick.ts b/test/helpers/FillLoginPageAndClick.ts
index 9ffe5d50c..276c322dd 100644
--- a/test/helpers/FillLoginPageAndClick.ts
+++ b/test/helpers/FillLoginPageAndClick.ts
@@ -4,9 +4,10 @@ export default async function(
   driver: WebDriver,
   username: string,
   password: string,
-  keepMeLoggedIn: boolean = false) {
+  keepMeLoggedIn: boolean = false,
+  timeout: number = 5000) {
   
-  await driver.wait(SeleniumWebdriver.until.elementLocated(SeleniumWebdriver.By.id("username")), 5000)
+  await driver.wait(SeleniumWebdriver.until.elementLocated(SeleniumWebdriver.By.id("username")), timeout)
   await driver.findElement(SeleniumWebdriver.By.id("username")).sendKeys(username);
   await driver.findElement(SeleniumWebdriver.By.id("password")).sendKeys(password);
   if (keepMeLoggedIn) {
diff --git a/test/helpers/FullLogin.ts b/test/helpers/FullLogin.ts
index 6b88945c8..cd9cca54d 100644
--- a/test/helpers/FullLogin.ts
+++ b/test/helpers/FullLogin.ts
@@ -4,8 +4,8 @@ import { WebDriver } from "selenium-webdriver";
 import VisitPageAndWaitUrlIs from "./behaviors/VisitPageAndWaitUrlIs";
 
 // Validate the two factors!
-export default async function(driver: WebDriver, user: string, secret: string, url: string) {
-  await VisitPageAndWaitUrlIs(driver, `https://login.example.com:8080/?rd=${url}`);
-  await FillLoginPageAndClick(driver, user, 'password');
-  await ValidateTotp(driver, secret);
+export default async function(driver: WebDriver, user: string, secret: string, url: string, timeout: number = 5000) {
+  await VisitPageAndWaitUrlIs(driver, `https://login.example.com:8080/#/?rd=${url}`, timeout);
+  await FillLoginPageAndClick(driver, user, 'password', false, timeout);
+  await ValidateTotp(driver, secret, timeout);
 }
\ No newline at end of file
diff --git a/test/helpers/GetIdentityLink.ts b/test/helpers/GetIdentityLink.ts
index c0f07b921..fe237dc23 100644
--- a/test/helpers/GetIdentityLink.ts
+++ b/test/helpers/GetIdentityLink.ts
@@ -15,13 +15,15 @@ export async function GetLinkFromFile() {
 export async function GetLinkFromEmail() {
   const data = await Request({
     method: "GET",
-    uri: "http://localhost:8085/messages",
-    json: true
+    uri: "https://mail.example.com:8080/messages",
+    json: true,
+    rejectUnauthorized: false,
   });
   const messageId = data[data.length - 1].id;
   const data2 = await Request({
     method: "GET",
-    uri: `http://localhost:8085/messages/${messageId}.html`
+    rejectUnauthorized: false,
+    uri: `https://mail.example.com:8080/messages/${messageId}.html`
   });
   const regexp = new RegExp(/<a href="(.+)" class="button">Continue<\/a>/);
   const match = regexp.exec(data2);
diff --git a/test/helpers/LoginAndRegisterTotp.ts b/test/helpers/LoginAndRegisterTotp.ts
index f62c4fbba..7a25c3a1c 100644
--- a/test/helpers/LoginAndRegisterTotp.ts
+++ b/test/helpers/LoginAndRegisterTotp.ts
@@ -3,8 +3,8 @@ import LoginAs from './LoginAs';
 import { WebDriver } from 'selenium-webdriver';
 import VerifyIsSecondFactorStage from './assertions/VerifyIsSecondFactorStage';
 
-export default async function(driver: WebDriver, user: string, password: string, email: boolean = false) {
-  await LoginAs(driver, user, password);
-  await VerifyIsSecondFactorStage(driver);
-  return await RegisterTotp(driver, email);
+export default async function(driver: WebDriver, user: string, password: string, email: boolean = false, timeout: number = 5000) {
+  await LoginAs(driver, user, password, undefined, timeout);
+  await VerifyIsSecondFactorStage(driver, timeout);
+  return await RegisterTotp(driver, email, timeout);
 }
\ No newline at end of file
diff --git a/test/helpers/LoginAs.ts b/test/helpers/LoginAs.ts
index 1894d211f..02606ffa8 100644
--- a/test/helpers/LoginAs.ts
+++ b/test/helpers/LoginAs.ts
@@ -2,8 +2,8 @@ import FillLoginPageAndClick from './FillLoginPageAndClick';
 import { WebDriver } from "selenium-webdriver";
 import VisitPageAndWaitUrlIs from "./behaviors/VisitPageAndWaitUrlIs";
 
-export default async function(driver: WebDriver, user: string, password: string, targetUrl?: string) {
+export default async function(driver: WebDriver, user: string, password: string, targetUrl?: string, timeout: number = 5000) {
   const urlExt = (targetUrl) ? ('rd=' + targetUrl) : '';
-  await VisitPageAndWaitUrlIs(driver, "https://login.example.com:8080/" + urlExt);
-  await FillLoginPageAndClick(driver, user, password);
+  await VisitPageAndWaitUrlIs(driver, "https://login.example.com:8080/#/" + urlExt, timeout);
+  await FillLoginPageAndClick(driver, user, password, false, timeout);
 }
\ No newline at end of file
diff --git a/test/helpers/Logout.ts b/test/helpers/Logout.ts
index eccd40f1e..2410ce8bf 100644
--- a/test/helpers/Logout.ts
+++ b/test/helpers/Logout.ts
@@ -1,5 +1,6 @@
 import { WebDriver } from "selenium-webdriver";
+import VisitPage from "./VisitPage";
 
 export default async function(driver: WebDriver) {
-  await driver.get(`https://login.example.com:8080/logout`);
+  await VisitPage(driver, `https://login.example.com:8080/#/logout`);
 }
\ No newline at end of file
diff --git a/test/helpers/RegisterTotp.ts b/test/helpers/RegisterTotp.ts
index 8c3cc32b7..7ca1fdd6b 100644
--- a/test/helpers/RegisterTotp.ts
+++ b/test/helpers/RegisterTotp.ts
@@ -1,13 +1,13 @@
 import SeleniumWebdriver = require("selenium-webdriver");
 import {GetLinkFromFile, GetLinkFromEmail} from './GetIdentityLink';
 
-export default async function(driver: SeleniumWebdriver.WebDriver, email?: boolean){
-  await driver.wait(SeleniumWebdriver.until.elementLocated(SeleniumWebdriver.By.className("register-totp")), 5000)
+export default async function(driver: SeleniumWebdriver.WebDriver, email?: boolean, timeout: number = 5000){
+  await driver.wait(SeleniumWebdriver.until.elementLocated(SeleniumWebdriver.By.className("register-totp")), timeout)
   await driver.findElement(SeleniumWebdriver.By.className("register-totp")).click();
   await driver.sleep(500);
   
   const link = (email) ? await GetLinkFromEmail() : await GetLinkFromFile();
   await driver.get(link);
-  await driver.wait(SeleniumWebdriver.until.elementLocated(SeleniumWebdriver.By.className("base32-secret")), 5000);
+  await driver.wait(SeleniumWebdriver.until.elementLocated(SeleniumWebdriver.By.className("base32-secret")), timeout);
   return await driver.findElement(SeleniumWebdriver.By.className("base32-secret")).getText();
 };
diff --git a/test/helpers/ValidateTotp.ts b/test/helpers/ValidateTotp.ts
index 63a2e107f..4275a45b3 100644
--- a/test/helpers/ValidateTotp.ts
+++ b/test/helpers/ValidateTotp.ts
@@ -1,16 +1,16 @@
 import Speakeasy from "speakeasy";
 import SeleniumWebdriver, { WebDriver } from 'selenium-webdriver';
 
-export default async function(driver: WebDriver, secret: string) {
+export default async function(driver: WebDriver, secret: string, timeout: number = 5000) {
   const token = Speakeasy.totp({
     secret: secret,
     encoding: "base32"
   });
 
   await driver.wait(SeleniumWebdriver.until.elementLocated(
-      SeleniumWebdriver.By.id("totp-token")), 5000)
+      SeleniumWebdriver.By.id("totp-token")), timeout)
   await driver.findElement(SeleniumWebdriver.By.id("totp-token")).sendKeys(token);
   
-  const el = await driver.wait(SeleniumWebdriver.until.elementLocated(SeleniumWebdriver.By.id('totp-button')));
+  const el = await driver.wait(SeleniumWebdriver.until.elementLocated(SeleniumWebdriver.By.id('totp-button')), timeout);
   el.click();
 }
\ No newline at end of file
diff --git a/test/helpers/VisitPage.ts b/test/helpers/VisitPage.ts
index 6a6d781c5..4b2fadfd0 100644
--- a/test/helpers/VisitPage.ts
+++ b/test/helpers/VisitPage.ts
@@ -1,5 +1,5 @@
 import { WebDriver } from "selenium-webdriver";
 
-export default async function(driver: WebDriver, url: string, timeout: number = 5000) {
+export default async function(driver: WebDriver, url: string) {
   await driver.get(url);
 }
\ No newline at end of file
diff --git a/test/helpers/assertions/VerifyBodyContains.ts b/test/helpers/assertions/VerifyBodyContains.ts
new file mode 100644
index 000000000..19c847195
--- /dev/null
+++ b/test/helpers/assertions/VerifyBodyContains.ts
@@ -0,0 +1,9 @@
+import SeleniumWebdriver, { WebDriver } from "selenium-webdriver";
+
+export default async function(driver: WebDriver, match: string, timeout: number = 5000) {
+  const el = await driver.wait(
+    SeleniumWebdriver.until.elementLocated(SeleniumWebdriver.By.tagName('body')), timeout);
+
+  await driver.wait(
+    SeleniumWebdriver.until.elementTextContains(el, match), timeout);
+}
\ No newline at end of file
diff --git a/test/helpers/assertions/VerifySecretObserved.ts b/test/helpers/assertions/VerifySecretObserved.ts
index 583c37c88..1cb1d6ba1 100644
--- a/test/helpers/assertions/VerifySecretObserved.ts
+++ b/test/helpers/assertions/VerifySecretObserved.ts
@@ -1,10 +1,7 @@
-import SeleniumWebdriver, { WebDriver } from "selenium-webdriver";
+import { WebDriver } from "selenium-webdriver";
+import VerifyBodyContains from "./VerifyBodyContains";
 
 // Verify if the current page contains "This is a very important secret!".
 export default async function(driver: WebDriver, timeout: number = 5000) {
-  const el = await driver.wait(
-    SeleniumWebdriver.until.elementLocated(SeleniumWebdriver.By.tagName('body')), timeout);
-
-  await driver.wait(
-    SeleniumWebdriver.until.elementTextContains(el, "This is a very important secret!"), timeout);
+  await VerifyBodyContains(driver, "This is a very important secret!", timeout);
 }
\ No newline at end of file
diff --git a/test/helpers/assertions/VerifyUrlContains.ts b/test/helpers/assertions/VerifyUrlContains.ts
new file mode 100644
index 000000000..efd92f2e5
--- /dev/null
+++ b/test/helpers/assertions/VerifyUrlContains.ts
@@ -0,0 +1,5 @@
+import SeleniumWebdriver, { WebDriver } from "selenium-webdriver";
+
+export default async function(driver: WebDriver, pattern: string, timeout: number = 5000) {
+  await driver.wait(SeleniumWebdriver.until.urlContains(pattern), timeout);
+}
\ No newline at end of file
diff --git a/test/helpers/behaviors/LoginOneFactor.ts b/test/helpers/behaviors/LoginOneFactor.ts
index ead8e13fc..50c178e27 100644
--- a/test/helpers/behaviors/LoginOneFactor.ts
+++ b/test/helpers/behaviors/LoginOneFactor.ts
@@ -7,9 +7,10 @@ export default async function(
   driver: WebDriver,
   username: string,
   password: string,
-  targetUrl: string) {
+  targetUrl: string,
+  timeout: number = 5000) {
 
-    await VisitPageAndWaitUrlIs(driver, `https://login.example.com:8080/?rd=${targetUrl}`);
-    await FillLoginPageAndClick(driver, username, password);
-    await VerifyUrlIs(driver, targetUrl);
+    await VisitPageAndWaitUrlIs(driver, `https://login.example.com:8080/#/?rd=${targetUrl}`, timeout);
+    await FillLoginPageAndClick(driver, username, password, false, timeout);
+    await VerifyUrlIs(driver, targetUrl, timeout);
 };
\ No newline at end of file
diff --git a/test/helpers/behaviors/RegisterAndLoginTwoFactor.ts b/test/helpers/behaviors/RegisterAndLoginTwoFactor.ts
index 49868673c..6f9846657 100644
--- a/test/helpers/behaviors/RegisterAndLoginTwoFactor.ts
+++ b/test/helpers/behaviors/RegisterAndLoginTwoFactor.ts
@@ -8,10 +8,11 @@ export default async function(
   username: string,
   password: string,
   email: boolean = false,
-  targetUrl: string = "https://login.example.com:8080/") {
+  targetUrl: string = "https://login.example.com:8080/#/",
+  timeout: number = 5000) {
 
-  const secret = await LoginAndRegisterTotp(driver, username, password, email);
-  await FullLogin(driver, username, secret, targetUrl);
-  await VerifyUrlIs(driver, targetUrl);
+  const secret = await LoginAndRegisterTotp(driver, username, password, email, timeout);
+  await FullLogin(driver, username, secret, targetUrl, timeout);
+  await VerifyUrlIs(driver, targetUrl, timeout);
   return secret;
 };
\ No newline at end of file
diff --git a/test/helpers/behaviors/VisitPageAndWaitUrlIs.ts b/test/helpers/behaviors/VisitPageAndWaitUrlIs.ts
index 6ff8229aa..f78b45721 100644
--- a/test/helpers/behaviors/VisitPageAndWaitUrlIs.ts
+++ b/test/helpers/behaviors/VisitPageAndWaitUrlIs.ts
@@ -4,5 +4,5 @@ import VisitPage from "../VisitPage";
 
 export default async function(driver: WebDriver, url: string, timeout: number = 5000) {
   await VisitPage(driver, url);
-  await VerifyUrlIs(driver, url);
+  await VerifyUrlIs(driver, url, timeout);
 }
\ No newline at end of file
diff --git a/test/helpers/context/AutheliaServerWithHotReload.ts b/test/helpers/context/AutheliaServerWithHotReload.ts
index 7a0ec8fe0..3e7f09ea1 100644
--- a/test/helpers/context/AutheliaServerWithHotReload.ts
+++ b/test/helpers/context/AutheliaServerWithHotReload.ts
@@ -4,6 +4,7 @@ import { exec } from '../utils/exec';
 import ChildProcess from 'child_process';
 import kill from 'tree-kill';
 import AutheliaServerInterface from './AutheliaServerInterface';
+import sleep from '../utils/sleep';
 
 class AutheliaServerWithHotReload implements AutheliaServerInterface {
   private watcher: Chokidar.FSWatcher;
@@ -11,6 +12,8 @@ class AutheliaServerWithHotReload implements AutheliaServerInterface {
   private AUTHELIA_INTERRUPT_FILENAME = '.authelia-interrupt';
   private serverProcess: ChildProcess.ChildProcess | undefined;
   private clientProcess: ChildProcess.ChildProcess | undefined;
+  private filesChangedBuffer: string[] = [];
+  private changeInProgress: boolean = false;
 
   constructor(configPath: string) {
     this.configPath = configPath;
@@ -22,6 +25,7 @@ class AutheliaServerWithHotReload implements AutheliaServerInterface {
   }
 
   private async startServer() {
+    if (this.serverProcess) return;
     await exec('./node_modules/.bin/tslint -c server/tslint.json -p server/tsconfig.json')
     this.serverProcess = ChildProcess.spawn('./node_modules/.bin/ts-node',
       ['-P', './server/tsconfig.json', './server/src/index.ts', this.configPath], {
@@ -30,8 +34,8 @@ class AutheliaServerWithHotReload implements AutheliaServerInterface {
     this.serverProcess.stdout.pipe(process.stdout);
     this.serverProcess.stderr.pipe(process.stderr);
     this.serverProcess.on('exit', () => {
-      console.log('Authelia server exited.');
       if (!this.serverProcess) return;
+      console.log('Authelia server with pid=%s exited.', this.serverProcess.pid);
       this.serverProcess.removeAllListeners();
       this.serverProcess = undefined;
     });
@@ -40,9 +44,10 @@ class AutheliaServerWithHotReload implements AutheliaServerInterface {
   private killServer() {
     return new Promise((resolve, reject) => {
       if (this.serverProcess) {
+        const pid = this.serverProcess.pid;
         try {
           const timeout = setTimeout(
-            () => reject(new Error('Server not killed after timeout.')), 10000);
+            () => reject(new Error(`Server with pid=${pid} not killed after timeout.`)), 10000);
           this.serverProcess.on('exit', () => {
             clearTimeout(timeout);
             resolve();
@@ -58,6 +63,8 @@ class AutheliaServerWithHotReload implements AutheliaServerInterface {
   }
 
   private async startClient() {
+    if (this.clientProcess) return;
+
     this.clientProcess = ChildProcess.spawn('npm', ['run', 'start'], {
       cwd: './client',
       env: {
@@ -68,8 +75,8 @@ class AutheliaServerWithHotReload implements AutheliaServerInterface {
     this.clientProcess.stdout.pipe(process.stdout);
     this.clientProcess.stderr.pipe(process.stderr);
     this.clientProcess.on('exit', () => {
-      console.log('Authelia client exited.');
       if (!this.clientProcess) return;
+      console.log('Authelia client exited with pid=%s.', this.clientProcess.pid);
       this.clientProcess.removeAllListeners();
       this.clientProcess = undefined;
     })
@@ -78,9 +85,10 @@ class AutheliaServerWithHotReload implements AutheliaServerInterface {
   private killClient() {
     return new Promise((resolve, reject) => {
       if (this.clientProcess) {
+        const pid = this.clientProcess.pid;
         try {
           const timeout = setTimeout(
-            () => reject(new Error('Server not killed after timeout.')), 10000);
+            () => reject(new Error(`Server with pid=${pid} not killed after timeout.`)), 10000);
           this.clientProcess.on('exit', () => {
             clearTimeout(timeout);
             resolve();
@@ -105,14 +113,18 @@ class AutheliaServerWithHotReload implements AutheliaServerInterface {
    * Handle file changes.
    * @param path The path of the file that has been changed.
    */
-  private async onFileChanged(path: string) {
-    console.log(`File ${path} has been changed, reloading...`);
-    if (path.startsWith('server/src/lib/configuration/schema')) {
+  private onFilesChanged = async (paths: string[]) => {
+    const containsSchemaFiles = paths.filter(
+      (p) => p.startsWith('server/src/lib/configuration/schema')).length > 0;
+    if (containsSchemaFiles) {
       console.log('Schema needs to be regenerated.');
       await this.generateConfigurationSchema();
     }
-    else if (path === this.AUTHELIA_INTERRUPT_FILENAME) {
-      if (fs.existsSync(path)) {
+    
+    const interruptFile = paths.filter(
+      (p) => p === this.AUTHELIA_INTERRUPT_FILENAME).length > 0;
+    if (interruptFile) {
+      if (fs.existsSync(this.AUTHELIA_INTERRUPT_FILENAME)) {
         console.log('Authelia is being interrupted.');
         await this.killServer();
       } else {
@@ -121,8 +133,32 @@ class AutheliaServerWithHotReload implements AutheliaServerInterface {
       }
       return;
     }
+
     await this.killServer();
     await this.startServer();
+
+    if (this.filesChangedBuffer.length > 0) {
+      await this.consumeFileChanged();
+    }
+  }
+
+  private async consumeFileChanged() {
+    this.changeInProgress = true;
+    const paths = this.filesChangedBuffer;
+    this.filesChangedBuffer = [];
+    try {
+      await this.onFilesChanged(paths);
+    } catch(e) {
+      console.error(e);
+    }
+    this.changeInProgress = false;
+  }
+
+  private enqueueFileChanged(path: string) {
+    console.log(`File ${path} has been changed, reloading...`);
+    this.filesChangedBuffer.push(path);
+    if (this.changeInProgress) return;
+    this.consumeFileChanged();
   }
 
   async start() {
@@ -132,9 +168,9 @@ class AutheliaServerWithHotReload implements AutheliaServerInterface {
     }
 
     console.log('Start watching file changes...');
-    this.watcher.on('add', (p) => this.onFileChanged(p));
-    this.watcher.on('unlink', (p) => this.onFileChanged(p));
-    this.watcher.on('change', (p) => this.onFileChanged(p));
+    this.watcher.on('add', (p) => this.enqueueFileChanged(p));
+    this.watcher.on('unlink', (p) => this.enqueueFileChanged(p));
+    this.watcher.on('change', (p) => this.enqueueFileChanged(p));
 
     this.startClient();
     this.startServer();
@@ -143,6 +179,7 @@ class AutheliaServerWithHotReload implements AutheliaServerInterface {
   async stop() {
     await this.killClient();
     await this.killServer();
+    await sleep(2000);
   }
 }
 
diff --git a/test/helpers/context/AutheliaSuite.ts b/test/helpers/context/AutheliaSuite.ts
index e883ff024..121064f26 100644
--- a/test/helpers/context/AutheliaSuite.ts
+++ b/test/helpers/context/AutheliaSuite.ts
@@ -1,4 +1,3 @@
-import WithEnvironment from "./WithEnvironment";
 import fs from 'fs';
 
 interface AutheliaSuiteType {
@@ -11,10 +10,6 @@ function AutheliaSuiteBase(suitePath: string,
   context: (description: string, ctx: (this: Mocha.ISuiteCallbackContext) => void) => Mocha.ISuite) {
   const suite = suitePath.split('/').slice(-1)[0];
   return context('Suite: ' + suite, function(this: Mocha.ISuiteCallbackContext) {
-    if (!fs.existsSync('.suite')) {
-      WithEnvironment(suite);
-    }
-
     cb.call(this);
   });
 }
diff --git a/test/helpers/context/WithEnvironment.ts b/test/helpers/context/WithEnvironment.ts
deleted file mode 100644
index 937871158..000000000
--- a/test/helpers/context/WithEnvironment.ts
+++ /dev/null
@@ -1,22 +0,0 @@
-import sleep from '../utils/sleep';
-
-export default function WithEnvironment(suite: string, waitTimeout: number = 5000) {
-  var { setup, teardown } = require(`../../suites/${suite}/environment`);
-
-  before(async function() {
-    this.timeout(30000);
-
-    console.log('Preparing environment...');
-    await setup();  
-    await sleep(waitTimeout);
-  });
-  
-  after(async function() {
-    this.timeout(30000);
-
-    console.log('Stopping environment...');
-    await teardown();
-
-    await sleep(waitTimeout);
-  });
-}
\ No newline at end of file
diff --git a/test/helpers/context/kubernetes/Kubernetes.ts b/test/helpers/context/kubernetes/Kubernetes.ts
new file mode 100644
index 000000000..425b2c962
--- /dev/null
+++ b/test/helpers/context/kubernetes/Kubernetes.ts
@@ -0,0 +1,27 @@
+import { exec } from '../../../helpers/utils/exec';
+
+class Kubernetes {
+  kubeConfig: string;
+
+  constructor(kubeConfig: string) {
+    this.kubeConfig = kubeConfig;
+  }
+
+  async apply(configPath: string) {
+    await exec('kubectl apply -f ' + configPath, {
+      env: {
+        KUBECONFIG: this.kubeConfig,
+      }
+    })
+  }
+
+  async loadDockerImage(image: string) {
+    await exec('kind load docker-image ' + image), {
+      env: {
+        KUBECONFIG: this.kubeConfig,
+      }
+    };
+  }
+}
+
+export default Kubernetes;
\ No newline at end of file
diff --git a/test/helpers/context/kubernetes/KubernetesManager.ts b/test/helpers/context/kubernetes/KubernetesManager.ts
new file mode 100644
index 000000000..558740006
--- /dev/null
+++ b/test/helpers/context/kubernetes/KubernetesManager.ts
@@ -0,0 +1,20 @@
+import { exec } from '../../../helpers/utils/exec';
+import { execSync } from 'child_process';
+import Kubernetes from './Kubernetes';
+
+class KubernetesManager {
+  static async create() {
+    await exec('kind create cluster');
+
+    const configPath = execSync('kind get kubeconfig-path --name="kind"', {
+      env: process.env
+    }).toString('utf-8').trim();
+    return new Kubernetes(configPath);
+  }
+
+  static async delete() {
+    await exec('kind delete cluster');
+  }
+}
+
+export default KubernetesManager;
\ No newline at end of file
diff --git a/test/helpers/scenarii/SingleFactorAuthentication.ts b/test/helpers/scenarii/SingleFactorAuthentication.ts
new file mode 100644
index 000000000..d1bc8471a
--- /dev/null
+++ b/test/helpers/scenarii/SingleFactorAuthentication.ts
@@ -0,0 +1,39 @@
+import Logout from "../Logout";
+import { StartDriver, StopDriver } from "../context/WithDriver";
+import LoginOneFactor from "../behaviors/LoginOneFactor";
+import VerifySecretObserved from "../assertions/VerifySecretObserved";
+import VisitPage from "../VisitPage";
+import VerifyIsSecondFactorStage from "../assertions/VerifyIsSecondFactorStage";
+import VerifyUrlContains from "../assertions/VerifyUrlContains";
+
+/*
+ * Those tests are related to single factor protected resources.
+ */
+export default function(timeout: number = 5000) {
+  return function() {
+    beforeEach(async function() {
+      this.driver = await StartDriver();
+    });
+  
+    afterEach(async function() {
+      await Logout(this.driver);
+      await StopDriver(this.driver);
+    });
+  
+    it("should redirect user after first stage", async function() {
+      await LoginOneFactor(this.driver, "john", "password", "https://singlefactor.example.com:8080/secret.html", timeout);
+      await VerifySecretObserved(this.driver, timeout);
+    });
+  
+    it("should redirect to portal if not enough authorized", async function() {
+      await LoginOneFactor(this.driver, "john", "password", "https://singlefactor.example.com:8080/secret.html", timeout);
+      await VisitPage(this.driver, "https://admin.example.com:8080/secret.html");
+  
+      // the url should be the one from the portal.
+      await VerifyUrlContains(this.driver, "https://login.example.com:8080/#/?rd=https://admin.example.com:8080", timeout);
+  
+      // And the user should end up on the second factor page.
+      await VerifyIsSecondFactorStage(this.driver, timeout);
+    });
+  }
+}
\ No newline at end of file
diff --git a/test/helpers/scenarii/TwoFactorAuthentication.ts b/test/helpers/scenarii/TwoFactorAuthentication.ts
new file mode 100644
index 000000000..915f55928
--- /dev/null
+++ b/test/helpers/scenarii/TwoFactorAuthentication.ts
@@ -0,0 +1,22 @@
+import { StartDriver, StopDriver } from "../context/WithDriver";
+import RegisterAndLoginTwoFactor from "../behaviors/RegisterAndLoginTwoFactor";
+import VerifyUrlIs from "../assertions/VerifyUrlIs";
+
+export default function (timeout: number = 5000) {
+  return function() {
+    describe('The user is redirected to target url upon successful authentication', function() {
+      before(async function() {
+        this.driver = await StartDriver();
+        await RegisterAndLoginTwoFactor(this.driver, 'john', "password", true, 'https://admin.example.com:8080/secret.html', timeout);
+      });
+  
+      after(async function() {
+        await StopDriver(this.driver);
+      });
+  
+      it('should redirect the user', async function() {
+        await VerifyUrlIs(this.driver, 'https://admin.example.com:8080/secret.html', timeout);
+      });
+    });
+  }
+}
\ No newline at end of file
diff --git a/test/helpers/utils/WaitUntil.ts b/test/helpers/utils/WaitUntil.ts
new file mode 100644
index 000000000..ea8679a25
--- /dev/null
+++ b/test/helpers/utils/WaitUntil.ts
@@ -0,0 +1,28 @@
+import sleep from "./sleep";
+
+export default function WaitUntil(
+  fn: () => Promise<boolean>, timeout: number = 15000,
+  interval: number = 1000, waitAfter: number = 0): Promise<void> {
+
+  return new Promise(async (resolve, reject) => {
+    const timer = setTimeout(() => { throw new Error('Timeout') }, timeout);
+    while (true) {
+      try {
+        const res = await fn();
+        if (res && res === true) {
+          clearTimeout(timer);
+          break;
+        }
+        await sleep(interval);
+      } catch (err) {
+        console.error(err);
+        reject(err);
+        return;
+      }
+    }
+    
+    if (waitAfter > 0)
+      await sleep(waitAfter);
+    resolve();
+  });
+}
\ No newline at end of file
diff --git a/test/helpers/utils/exec.ts b/test/helpers/utils/exec.ts
index 5fe77cc4e..29be7ec80 100644
--- a/test/helpers/utils/exec.ts
+++ b/test/helpers/utils/exec.ts
@@ -1,11 +1,32 @@
 var spawn = require('child_process').spawn;
 
+interface Options {
+  cwd?: string;
+  env?: {[key: string]: string};
+  debug?: boolean;
+}
 
-export function exec(command: string): Promise<void> {
+export function exec(command: string, options?: Options): Promise<void> {
   return new Promise((resolve, reject) => {
-    const cmd = spawn(command, {
+    const spawnOptions = {
       shell: true,
-    });
+    } as any;
+
+    if (options && options.cwd) {
+      spawnOptions['cwd'] = options.cwd;
+    }
+
+    if (options && options.env) {
+      spawnOptions['env'] = {
+        ...options.env,
+        ...process.env,
+      }
+    }
+    
+    if (options && options.debug) {
+      console.log('>>> ' + command);
+    }
+    const cmd = spawn(command, spawnOptions);
 
     cmd.stdout.pipe(process.stdout);
     cmd.stderr.pipe(process.stderr);
@@ -14,7 +35,7 @@ export function exec(command: string): Promise<void> {
         resolve();
         return;
       }
-      reject(new Error('Exited with status code ' + statusCode));
+      reject(new Error('\'' + command + '\' exited with status code ' + statusCode));
     });
   });
 }
diff --git a/test/helpers/utils/execPromise.ts b/test/helpers/utils/execPromise.ts
new file mode 100644
index 000000000..e3d5aabd9
--- /dev/null
+++ b/test/helpers/utils/execPromise.ts
@@ -0,0 +1,16 @@
+import { exec } from 'child_process';
+
+function execPromise(command: string) {
+  return new Promise<string>(function(resolve, reject) {
+      exec(command, (error, stdout, stderr) => {
+          if (error) {
+              reject(error);
+              return;
+          }
+
+          resolve(stdout.trim());
+      });
+  });
+}
+
+export default execPromise;
\ No newline at end of file
diff --git a/test/suites/basic/config.yml b/test/suites/basic/config.yml
index 7ac889061..d15160341 100644
--- a/test/suites/basic/config.yml
+++ b/test/suites/basic/config.yml
@@ -39,7 +39,7 @@ access_control:
   default_policy: deny
 
   rules:
-    - domain: single_factor.example.com
+    - domain: singlefactor.example.com
       policy: one_factor
 
     - domain: '*.example.com'
diff --git a/test/suites/basic/environment.ts b/test/suites/basic/environment.ts
index 6d865c6a9..8fa6b2f2a 100644
--- a/test/suites/basic/environment.ts
+++ b/test/suites/basic/environment.ts
@@ -20,9 +20,17 @@ async function setup() {
 }
 
 async function teardown() {
-  await dockerEnv.stop();
   await autheliaServer.stop();
-  await exec('rm -r /tmp/authelia/db');
+  await dockerEnv.stop();
+  await exec('rm -rf /tmp/authelia/db');
 }
 
-export { setup, teardown };
\ No newline at end of file
+const setup_timeout = 30000;
+const teardown_timeout = 30000;
+
+export {
+  setup,
+  setup_timeout,
+  teardown,
+  teardown_timeout
+};
\ No newline at end of file
diff --git a/test/suites/basic/scenarii/BadPassword.ts b/test/suites/basic/scenarii/BadPassword.ts
index 448657534..48cf45fc6 100644
--- a/test/suites/basic/scenarii/BadPassword.ts
+++ b/test/suites/basic/scenarii/BadPassword.ts
@@ -14,7 +14,7 @@ export default function() {
 
     before(async function() {
       this.driver = await StartDriver();
-      await VisitPageAndWaitUrlIs(this.driver, "https://login.example.com:8080/")
+      await VisitPageAndWaitUrlIs(this.driver, "https://login.example.com:8080/#/")
       await FillLoginPageWithUserAndPasswordAndClick(this.driver, 'john', 'bad_password');
     });
 
diff --git a/test/suites/basic/scenarii/LogoutRedirectToAlreadyLoggedIn.ts b/test/suites/basic/scenarii/LogoutRedirectToAlreadyLoggedIn.ts
index 37530c9a8..8bd8874c9 100644
--- a/test/suites/basic/scenarii/LogoutRedirectToAlreadyLoggedIn.ts
+++ b/test/suites/basic/scenarii/LogoutRedirectToAlreadyLoggedIn.ts
@@ -16,7 +16,7 @@ export default function() {
     });
 
     it('should redirect the user', async function() {
-      await VisitPage(this.driver, 'https://login.example.com:8080/logout');
+      await VisitPage(this.driver, 'https://login.example.com:8080/#/logout');
       await VerifyIsAlreadyAuthenticatedStage(this.driver);
     });
   });
diff --git a/test/suites/basic/scenarii/RequiredTwoFactor.ts b/test/suites/basic/scenarii/RequiredTwoFactor.ts
index dd48a9494..76b83f6f5 100644
--- a/test/suites/basic/scenarii/RequiredTwoFactor.ts
+++ b/test/suites/basic/scenarii/RequiredTwoFactor.ts
@@ -13,7 +13,7 @@ export default function() {
       if (!secret) throw new Error('No secret!');
       
       await VisitPage(this.driver, "https://admin.example.com:8080/secret.html");
-      await VerifyUrlIs(this.driver, "https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html");
+      await VerifyUrlIs(this.driver, "https://login.example.com:8080/#/?rd=https://admin.example.com:8080/secret.html");
       await FillLoginPageAndClick(this.driver, "john", "password");
       await VerifyIsSecondFactorStage(this.driver);
     });
diff --git a/test/suites/basic/scenarii/ResetPassword.ts b/test/suites/basic/scenarii/ResetPassword.ts
index f2b6b95db..42ed31d5b 100644
--- a/test/suites/basic/scenarii/ResetPassword.ts
+++ b/test/suites/basic/scenarii/ResetPassword.ts
@@ -21,12 +21,12 @@ export default function() {
   })
 
   it("should reset password for john", async function() {
-    await VisitPageAndWaitUrlIs(this.driver, "https://login.example.com:8080/");
+    await VisitPageAndWaitUrlIs(this.driver, "https://login.example.com:8080/#/");
     await ClickOnLink(this.driver, "Forgot password\?");
-    await VerifyUrlIs(this.driver, "https://login.example.com:8080/forgot-password");
+    await VerifyUrlIs(this.driver, "https://login.example.com:8080/#/forgot-password");
     await FillField(this.driver, "username", "john");
     await ClickOn(this.driver, SeleniumWebDriver.By.id('next-button'));
-    await VerifyUrlIs(this.driver, 'https://login.example.com:8080/confirmation-sent');
+    await VerifyUrlIs(this.driver, 'https://login.example.com:8080/#/confirmation-sent');
 
     await this.driver.sleep(500); // Simulate the time it takes to receive the e-mail.
     const link = await GetLinkFromEmail();
@@ -34,7 +34,7 @@ export default function() {
     await FillField(this.driver, "password1", "newpass");
     await FillField(this.driver, "password2", "newpass");
     await ClickOn(this.driver, SeleniumWebDriver.By.id('reset-button'));
-    await VerifyUrlIs(this.driver, "https://login.example.com:8080/");
+    await VerifyUrlIs(this.driver, "https://login.example.com:8080/#/");
     await FillLoginPageAndClick(this.driver, "john", "newpass");
 
     // The user reaches the second factor page using the new password.
@@ -42,23 +42,23 @@ export default function() {
   });
 
   it("should persuade reset password is initiated for unknown user", async function() {
-    await VisitPageAndWaitUrlIs(this.driver, "https://login.example.com:8080/");
+    await VisitPageAndWaitUrlIs(this.driver, "https://login.example.com:8080/#/");
     await ClickOnLink(this.driver, "Forgot password\?");
-    await VerifyUrlIs(this.driver, "https://login.example.com:8080/forgot-password");
+    await VerifyUrlIs(this.driver, "https://login.example.com:8080/#/forgot-password");
     await FillField(this.driver, "username", "unknown");
     await ClickOn(this.driver, SeleniumWebDriver.By.id('next-button'));
 
     // The malicious user thinks the confirmation has been sent.
-    await VerifyUrlIs(this.driver, 'https://login.example.com:8080/confirmation-sent');
+    await VerifyUrlIs(this.driver, 'https://login.example.com:8080/#/confirmation-sent');
   });
 
   it("should notify passwords are different in reset form", async function() {
-    await VisitPageAndWaitUrlIs(this.driver, "https://login.example.com:8080/");
+    await VisitPageAndWaitUrlIs(this.driver, "https://login.example.com:8080/#/");
     await ClickOnLink(this.driver, "Forgot password\?");
-    await VerifyUrlIs(this.driver, "https://login.example.com:8080/forgot-password");
+    await VerifyUrlIs(this.driver, "https://login.example.com:8080/#/forgot-password");
     await FillField(this.driver, "username", "john");
     await ClickOn(this.driver, SeleniumWebDriver.By.id('next-button'));
-    await VerifyUrlIs(this.driver, 'https://login.example.com:8080/confirmation-sent');
+    await VerifyUrlIs(this.driver, 'https://login.example.com:8080/#/confirmation-sent');
 
     await this.driver.sleep(500); // Simulate the time it takes to receive the e-mail.
     const link = await GetLinkFromEmail();
diff --git a/test/suites/basic/scenarii/SimpleAuthentication.ts b/test/suites/basic/scenarii/SimpleAuthentication.ts
deleted file mode 100644
index 78331b8de..000000000
--- a/test/suites/basic/scenarii/SimpleAuthentication.ts
+++ /dev/null
@@ -1,37 +0,0 @@
-import { StartDriver, StopDriver } from "../../../helpers/context/WithDriver";
-import RegisterAndLoginTwoFactor from "../../../helpers/behaviors/RegisterAndLoginTwoFactor";
-import VerifyUrlIs from "../../../helpers/assertions/VerifyUrlIs";
-import VisitPage from "../../../helpers/VisitPage";
-
-
-export default function() {
-  describe('The user is redirected to target url upon successful authentication', function() {
-    before(async function() {
-      this.driver = await StartDriver();
-      await RegisterAndLoginTwoFactor(this.driver, 'john', "password", true, 'https://admin.example.com:8080/secret.html');
-    });
-
-    after(async function() {
-      await StopDriver(this.driver);
-    });
-
-    it('should redirect the user', async function() {
-      await VerifyUrlIs(this.driver, 'https://admin.example.com:8080/secret.html');
-    });
-  });
-
-  describe('The target url is in "rd" parameter of the portal URL', function() {
-    before(async function() {
-      this.driver = await StartDriver();
-      await VisitPage(this.driver, 'https://admin.example.com:8080/secret.html');
-    });
-
-    after(async function() {
-      await StopDriver(this.driver);
-    });
-
-    it('should redirect the user', async function() {
-      await VerifyUrlIs(this.driver, 'https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html');
-    });
-  })
-}
\ No newline at end of file
diff --git a/test/suites/basic/scenarii/TOTPValidation.ts b/test/suites/basic/scenarii/TOTPValidation.ts
index f5cbbbbda..e72b82c7f 100644
--- a/test/suites/basic/scenarii/TOTPValidation.ts
+++ b/test/suites/basic/scenarii/TOTPValidation.ts
@@ -20,7 +20,7 @@ export default function() {
       const secret = await LoginAndRegisterTotp(this.driver, "john", "password", true);
       if (!secret) throw new Error('No secret!');
       
-      await VisitPageAndWaitUrlIs(this.driver, "https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html");
+      await VisitPageAndWaitUrlIs(this.driver, "https://login.example.com:8080/#/?rd=https://admin.example.com:8080/secret.html");
       await FillLoginPageWithUserAndPasswordAndClick(this.driver, 'john', 'password');
       await ValidateTotp(this.driver, secret);
     });
@@ -49,7 +49,7 @@ export default function() {
       await LoginAndRegisterTotp(this.driver, "john", "password", true);
       const BAD_TOKEN = "125478";
         
-      await VisitPageAndWaitUrlIs(this.driver, "https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html");
+      await VisitPageAndWaitUrlIs(this.driver, "https://login.example.com:8080/#/?rd=https://admin.example.com:8080/secret.html");
       await FillLoginPageWithUserAndPasswordAndClick(this.driver, 'john', 'password');
       await ValidateTotp(this.driver, BAD_TOKEN);
     });
diff --git a/test/suites/basic/test.ts b/test/suites/basic/test.ts
index fa432390f..e6f5c8700 100644
--- a/test/suites/basic/test.ts
+++ b/test/suites/basic/test.ts
@@ -7,8 +7,8 @@ import BackendProtection from './scenarii/BackendProtection';
 import VerifyEndpoint from './scenarii/VerifyEndpoint';
 import RequiredTwoFactor from './scenarii/RequiredTwoFactor';
 import LogoutRedirectToAlreadyLoggedIn from './scenarii/LogoutRedirectToAlreadyLoggedIn';
-import SimpleAuthentication from './scenarii/SimpleAuthentication';
 import { exec } from '../../helpers/utils/exec';
+import TwoFactorAuthentication from "../../helpers/scenarii/TwoFactorAuthentication";
 
 AutheliaSuite(__dirname, function() {
   this.timeout(10000);
@@ -17,7 +17,7 @@ AutheliaSuite(__dirname, function() {
     await exec(`cp ${__dirname}/users_database.yml ${__dirname}/users_database.test.yml`);
   });
 
-  describe('Simple authentication', SimpleAuthentication);
+  describe('Two-factor authentication', TwoFactorAuthentication());
   describe('Backend protection', BackendProtection);
   describe('Verify API endpoint', VerifyEndpoint);
   describe('Bad password', BadPassword);
diff --git a/test/suites/dockerhub/config.yml b/test/suites/dockerhub/config.yml
index f88b207f2..b6dcde391 100644
--- a/test/suites/dockerhub/config.yml
+++ b/test/suites/dockerhub/config.yml
@@ -130,7 +130,7 @@ access_control:
     # Rules applied to everyone
     - domain: public.example.com
       policy: two_factor
-    - domain: single_factor.example.com
+    - domain: singlefactor.example.com
       policy: one_factor
 
     # Rules applied to 'admin' group
diff --git a/test/suites/dockerhub/environment.ts b/test/suites/dockerhub/environment.ts
index b8213ef3d..bc522e45f 100644
--- a/test/suites/dockerhub/environment.ts
+++ b/test/suites/dockerhub/environment.ts
@@ -25,4 +25,13 @@ async function teardown() {
   await dockerEnv.stop();
 }
 
-export { setup, teardown, composeFiles };
\ No newline at end of file
+const setup_timeout = 30000;
+const teardown_timeout = 30000;
+
+export {
+  setup,
+  setup_timeout,
+  teardown,
+  teardown_timeout,
+  composeFiles
+};
\ No newline at end of file
diff --git a/test/suites/dockerhub/scenarii/SimpleAuthentication.ts b/test/suites/dockerhub/scenarii/SimpleAuthentication.ts
deleted file mode 100644
index 7d42298ab..000000000
--- a/test/suites/dockerhub/scenarii/SimpleAuthentication.ts
+++ /dev/null
@@ -1,20 +0,0 @@
-import { StartDriver, StopDriver } from "../../../helpers/context/WithDriver";
-import RegisterAndLoginTwoFactor from "../../../helpers/behaviors/RegisterAndLoginTwoFactor";
-import VerifyUrlIs from "../../../helpers/assertions/VerifyUrlIs";
-
-export default function () {
-  describe('The user is redirected to target url upon successful authentication', function() {
-    before(async function() {
-      this.driver = await StartDriver();
-      await RegisterAndLoginTwoFactor(this.driver, 'john', "password", true, 'https://admin.example.com:8080/secret.html');
-    });
-
-    after(async function() {
-      await StopDriver(this.driver);
-    });
-
-    it('should redirect the user', async function() {
-      await VerifyUrlIs(this.driver, 'https://admin.example.com:8080/secret.html');
-    });
-  });
-}
\ No newline at end of file
diff --git a/test/suites/dockerhub/test.ts b/test/suites/dockerhub/test.ts
index 5faed631f..0de403d3d 100644
--- a/test/suites/dockerhub/test.ts
+++ b/test/suites/dockerhub/test.ts
@@ -2,7 +2,8 @@ import AutheliaSuite from '../../helpers/context/AutheliaSuite';
 import DockerCompose from '../../helpers/context/DockerCompose';
 import { composeFiles } from './environment';
 import Assert from 'assert';
-import SimpleAuthentication from './scenarii/SimpleAuthentication';
+import SingleFactorAuthentication from '../../helpers/scenarii/SingleFactorAuthentication';
+import TwoFactorAuthentication from '../../helpers/scenarii/TwoFactorAuthentication';
 
 AutheliaSuite(__dirname, function() {
   this.timeout(15000);
@@ -21,5 +22,6 @@ AutheliaSuite(__dirname, function() {
     });
   });
 
-  describe('Simple authentication', SimpleAuthentication);
+  describe('Single-factor authentication', SingleFactorAuthentication())
+  describe('Two-factor authentication', TwoFactorAuthentication());
 });
\ No newline at end of file
diff --git a/test/suites/high-availability/config.yml b/test/suites/high-availability/config.yml
index 6cbf82a19..8395d79e5 100644
--- a/test/suites/high-availability/config.yml
+++ b/test/suites/high-availability/config.yml
@@ -129,14 +129,22 @@ access_control:
   rules:
     # Rules applied to everyone
     - domain: public.example.com
+      policy: bypass
+    - domain: secure.example.com
       policy: two_factor
-    - domain: single_factor.example.com
+    - domain: singlefactor.example.com
       policy: one_factor
 
     # Rules applied to 'admin' group
-    - domain: 'mx2.mail.example.com'
+    - domain: mx2.mail.example.com
       subject: 'group:admin'
       policy: deny
+
+    # Rules applied to user 'john'
+    - domain: '*.example.com'
+      subject: 'user:john'
+      policy: two_factor
+
     - domain: '*.example.com'
       subject: 'group:admin'
       policy: two_factor
@@ -148,14 +156,6 @@ access_control:
       subject: 'group:dev'
       policy: two_factor
 
-    # Rules applied to user 'john'
-    - domain: dev.example.com
-      resources:
-        - '^/users/john/.*$'
-      subject: 'user:john'
-      policy: two_factor
-
-
     # Rules applied to user 'harry'
     - domain: dev.example.com
       resources:
diff --git a/test/suites/high-availability/environment.ts b/test/suites/high-availability/environment.ts
index de25d2f20..c82dd2fbc 100644
--- a/test/suites/high-availability/environment.ts
+++ b/test/suites/high-availability/environment.ts
@@ -37,4 +37,13 @@ async function teardown() {
   await dockerEnv.stop();
 }
 
-export { setup, teardown, composeFiles };
\ No newline at end of file
+const setup_timeout = 30000;
+const teardown_timeout = 30000;
+
+export {
+  setup,
+  setup_timeout,
+  teardown,
+  teardown_timeout,
+  composeFiles
+};
\ No newline at end of file
diff --git a/test/suites/high-availability/scenarii/AccessControl.ts b/test/suites/high-availability/scenarii/AccessControl.ts
index 225cb436e..7197fb067 100644
--- a/test/suites/high-availability/scenarii/AccessControl.ts
+++ b/test/suites/high-availability/scenarii/AccessControl.ts
@@ -1,12 +1,13 @@
 import LoginAndRegisterTotp from "../../../helpers/LoginAndRegisterTotp";
-import VisitPage from "../../../helpers/VisitPage";
 import VerifySecretObserved from "../../../helpers/assertions/VerifySecretObserved";
 import WithDriver from "../../../helpers/context/WithDriver";
 import FillLoginPageAndClick from "../../../helpers/FillLoginPageAndClick";
 import ValidateTotp from "../../../helpers/ValidateTotp";
-import VerifyUrlIs from "../../../helpers/assertions/VerifyUrlIs";
 import Logout from "../../../helpers/Logout";
 import VisitPageAndWaitUrlIs from "../../../helpers/behaviors/VisitPageAndWaitUrlIs";
+import VerifyBodyContains from "../../../helpers/assertions/VerifyBodyContains";
+import VerifyIsSecondFactorStage from "../../../helpers/assertions/VerifyIsSecondFactorStage";
+import VerifyUrlIs from "../../../helpers/assertions/VerifyUrlIs";
 
 async function ShouldHaveAccessTo(url: string) {
   it('should have access to ' + url, async function() {
@@ -17,8 +18,8 @@ async function ShouldHaveAccessTo(url: string) {
 
 async function ShouldNotHaveAccessTo(url: string) {
   it('should not have access to ' + url, async function() {
-    await VisitPage(this.driver, url);
-    await VerifyUrlIs(this.driver, 'https://login.example.com:8080/');
+    await VisitPageAndWaitUrlIs(this.driver, url);
+    await VerifyBodyContains(this.driver, "403 Forbidden");
   })
 }
 
@@ -35,12 +36,15 @@ export default function() {
 
     before(async function() {
       const secret = await LoginAndRegisterTotp(this.driver, "john", "password", true);
-      await VisitPageAndWaitUrlIs(this.driver, 'https://login.example.com:8080/');
+      await VisitPageAndWaitUrlIs(this.driver, 'https://login.example.com:8080/#/');
       await FillLoginPageAndClick(this.driver, 'john', 'password', false);
       await ValidateTotp(this.driver, secret);
+      // Default URL in conf is home.
+      await VerifyUrlIs(this.driver, 'https://home.example.com:8080/');
     })
 
     ShouldHaveAccessTo('https://public.example.com:8080/secret.html');
+    ShouldHaveAccessTo('https://secure.example.com:8080/secret.html');
     ShouldHaveAccessTo('https://dev.example.com:8080/groups/admin/secret.html');
     ShouldHaveAccessTo('https://dev.example.com:8080/groups/dev/secret.html');
     ShouldHaveAccessTo('https://dev.example.com:8080/users/john/secret.html');
@@ -48,7 +52,7 @@ export default function() {
     ShouldHaveAccessTo('https://dev.example.com:8080/users/bob/secret.html');
     ShouldHaveAccessTo('https://admin.example.com:8080/secret.html');
     ShouldHaveAccessTo('https://mx1.mail.example.com:8080/secret.html');
-    ShouldHaveAccessTo('https://single_factor.example.com:8080/secret.html');
+    ShouldHaveAccessTo('https://singlefactor.example.com:8080/secret.html');
     ShouldNotHaveAccessTo('https://mx2.mail.example.com:8080/secret.html');
   })
 
@@ -62,12 +66,15 @@ export default function() {
 
     before(async function() {
       const secret = await LoginAndRegisterTotp(this.driver, "bob", "password", true);
-      await VisitPageAndWaitUrlIs(this.driver, 'https://login.example.com:8080/');
+      await VisitPageAndWaitUrlIs(this.driver, 'https://login.example.com:8080/#/');
       await FillLoginPageAndClick(this.driver, 'bob', 'password', false);
       await ValidateTotp(this.driver, secret);
+      // Default URL in conf is home.
+      await VerifyUrlIs(this.driver, 'https://home.example.com:8080/');
     })
 
     ShouldHaveAccessTo('https://public.example.com:8080/secret.html');
+    ShouldHaveAccessTo('https://secure.example.com:8080/secret.html');
     ShouldNotHaveAccessTo('https://dev.example.com:8080/groups/admin/secret.html');
     ShouldHaveAccessTo('https://dev.example.com:8080/groups/dev/secret.html');
     ShouldNotHaveAccessTo('https://dev.example.com:8080/users/john/secret.html');
@@ -75,7 +82,7 @@ export default function() {
     ShouldHaveAccessTo('https://dev.example.com:8080/users/bob/secret.html');
     ShouldNotHaveAccessTo('https://admin.example.com:8080/secret.html');
     ShouldHaveAccessTo('https://mx1.mail.example.com:8080/secret.html');
-    ShouldHaveAccessTo('https://single_factor.example.com:8080/secret.html');
+    ShouldHaveAccessTo('https://singlefactor.example.com:8080/secret.html');
     ShouldHaveAccessTo('https://mx2.mail.example.com:8080/secret.html');
   })
 
@@ -89,12 +96,15 @@ export default function() {
 
     before(async function() {
       const secret = await LoginAndRegisterTotp(this.driver, "harry", "password", true);
-      await VisitPageAndWaitUrlIs(this.driver, 'https://login.example.com:8080/');
+      await VisitPageAndWaitUrlIs(this.driver, 'https://login.example.com:8080/#/');
       await FillLoginPageAndClick(this.driver, 'harry', 'password', false);
       await ValidateTotp(this.driver, secret);
+      // Default URL in conf is home.
+      await VerifyUrlIs(this.driver, 'https://home.example.com:8080/');
     })
 
     ShouldHaveAccessTo('https://public.example.com:8080/secret.html');
+    ShouldHaveAccessTo('https://secure.example.com:8080/secret.html');
     ShouldNotHaveAccessTo('https://dev.example.com:8080/groups/admin/secret.html');
     ShouldNotHaveAccessTo('https://dev.example.com:8080/groups/dev/secret.html');
     ShouldNotHaveAccessTo('https://dev.example.com:8080/users/john/secret.html');
@@ -102,7 +112,7 @@ export default function() {
     ShouldNotHaveAccessTo('https://dev.example.com:8080/users/bob/secret.html');
     ShouldNotHaveAccessTo('https://admin.example.com:8080/secret.html');
     ShouldNotHaveAccessTo('https://mx1.mail.example.com:8080/secret.html');
-    ShouldHaveAccessTo('https://single_factor.example.com:8080/secret.html');
+    ShouldHaveAccessTo('https://singlefactor.example.com:8080/secret.html');
     ShouldNotHaveAccessTo('https://mx2.mail.example.com:8080/secret.html');
   })
 }
\ No newline at end of file
diff --git a/test/suites/high-availability/scenarii/AuthenticationRegulation.ts b/test/suites/high-availability/scenarii/AuthenticationRegulation.ts
index 99a092fc3..87e5c2020 100644
--- a/test/suites/high-availability/scenarii/AuthenticationRegulation.ts
+++ b/test/suites/high-availability/scenarii/AuthenticationRegulation.ts
@@ -23,7 +23,7 @@ export default function() {
       await VerifyNotificationDisplayed(this.driver, "Authentication failed. Please check your credentials.");
 
       // when providing good credentials, the hacker is regulated and see same message as previously.
-      await LoginAs(this.driver, "blackhat", "password");
+      await LoginAs(this.driver, "blackhat", "bad-password");
       await VerifyNotificationDisplayed(this.driver, "Authentication failed. Please check your credentials.");
 
       // Wait the regulation ban time before retrying with correct credentials.
diff --git a/test/suites/high-availability/scenarii/BasicAuthentication.ts b/test/suites/high-availability/scenarii/BasicAuthentication.ts
index 941abfa69..b5e46a126 100644
--- a/test/suites/high-availability/scenarii/BasicAuthentication.ts
+++ b/test/suites/high-availability/scenarii/BasicAuthentication.ts
@@ -1,7 +1,7 @@
 import Request from 'request-promise';
 
 async function GetSecret(username: string, password: string) {
-  return await Request('https://single_factor.example.com:8080/secret.html', {
+  return await Request('https://singlefactor.example.com:8080/secret.html', {
     auth: {
       username,
       password
diff --git a/test/suites/high-availability/scenarii/CustomHeadersForwarded.ts b/test/suites/high-availability/scenarii/CustomHeadersForwarded.ts
index 2fdc8d045..83f6ac987 100644
--- a/test/suites/high-availability/scenarii/CustomHeadersForwarded.ts
+++ b/test/suites/high-availability/scenarii/CustomHeadersForwarded.ts
@@ -7,14 +7,14 @@ import VerifyUrlIs from "../../../helpers/assertions/VerifyUrlIs";
 
 export default function() {
   describe("Custom-Forwarded-User and Custom-Forwarded-Groups are correctly forwarded to protected backend", function() {
-    this.timeout(10000);
+    this.timeout(100000);
 
-    describe("With single factor", function() {
+    describe("Headers after single factor authentication", function() {
       before(async function() {
         this.driver = await StartDriver();
-        await LoginOneFactor(this.driver, "john", "password", "https://single_factor.example.com:8080/headers");
+        await LoginOneFactor(this.driver, "john", "password", "https://singlefactor.example.com:8080/headers");
       });
-    
+      
       after(async function() {
         await Logout(this.driver);
         await StopDriver(this.driver);
@@ -29,10 +29,10 @@ export default function() {
       });
     });
 
-    describe("With two factors", function() {
+    describe("Headers after two factor authentication", function() {
       before(async function() {
         this.driver = await StartDriver();
-        await RegisterAndLoginWith2FA(this.driver, "john", "password", true, "https://public.example.com:8080/headers");
+        await RegisterAndLoginWith2FA(this.driver, "john", "password", true, "https://secure.example.com:8080/headers");
       });
     
       after(async function() {
diff --git a/test/suites/high-availability/scenarii/EnforceInternalRedirectionsOnly.ts b/test/suites/high-availability/scenarii/EnforceInternalRedirectionsOnly.ts
index a8e01565d..dd870b557 100644
--- a/test/suites/high-availability/scenarii/EnforceInternalRedirectionsOnly.ts
+++ b/test/suites/high-availability/scenarii/EnforceInternalRedirectionsOnly.ts
@@ -6,6 +6,7 @@ import VerifyIsAlreadyAuthenticatedStage from "../../../helpers/assertions/Verif
 import { StartDriver, StopDriver } from "../../../helpers/context/WithDriver";
 import VisitPageAndWaitUrlIs from "../../../helpers/behaviors/VisitPageAndWaitUrlIs";
 import VerifyUrlIs from "../../../helpers/assertions/VerifyUrlIs";
+import VerifyNotificationDisplayed from "../../../helpers/assertions/VerifyNotificationDisplayed";
 
 /*
  * Authelia should not be vulnerable to open redirection. Otherwise it would aid an
@@ -29,18 +30,23 @@ export default function() {
       await StopDriver(this.driver);
     })
   
-    function CannotRedirectTo(url: string) {
+    function CannotRedirectTo(url: string, twoFactor: boolean = true) {
       it(`should redirect to already authenticated page when requesting ${url}`, async function() {
-        await VisitPageAndWaitUrlIs(this.driver, `https://login.example.com:8080/?rd=${url}`);
+        await VisitPageAndWaitUrlIs(this.driver, `https://login.example.com:8080/#/?rd=${url}`);
         await FillLoginPageWithUserAndPasswordAndClick(this.driver, 'john', 'password');
-        await ValidateTotp(this.driver, secret);
-        await VerifyIsAlreadyAuthenticatedStage(this.driver);
+        if (twoFactor) {
+          await ValidateTotp(this.driver, secret);
+          await VerifyIsAlreadyAuthenticatedStage(this.driver);
+        } else {
+          await VerifyNotificationDisplayed(this.driver,
+            "You're authenticated but cannot be automatically redirected to an unsafe URL.");
+        }
       });
     }
 
     function CanRedirectTo(url: string) {
       it(`should redirect to ${url}`, async function() {
-        await VisitPageAndWaitUrlIs(this.driver, `https://login.example.com:8080/?rd=${url}`);
+        await VisitPageAndWaitUrlIs(this.driver, `https://login.example.com:8080/#/?rd=${url}`);
         await FillLoginPageWithUserAndPasswordAndClick(this.driver, 'john', 'password');
         await ValidateTotp(this.driver, secret);
         await VerifyUrlIs(this.driver, url);
@@ -57,14 +63,19 @@ export default function() {
       CannotRedirectTo("https://public.example.com.a:8080");
     });
 
-    describe('Cannot redirect to http://public.example.com:8080', function() {
+    describe('Cannot redirect to http://secure.example.com:8080', function() {
       // Do not redirect to http website
-      CannotRedirectTo("http://public.example.com:8080");
+      CannotRedirectTo("http://secure.example.com:8080");
     });
 
-    describe('Can redirect to https://public.example.com:8080/', function() {
+    describe('Cannot redirect to http://singlefactor.example.com:8080', function() {
+      // Do not redirect to http website
+      CannotRedirectTo("http://singlefactor.example.com:8080", false);
+    });
+
+    describe('Can redirect to https://secure.example.com:8080/', function() {
       // Can redirect to any subdomain of the domain protected by Authelia.
-      CanRedirectTo("https://public.example.com:8080/");
+      CanRedirectTo("https://secure.example.com:8080/");
     });
   });
 }
\ No newline at end of file
diff --git a/test/suites/high-availability/scenarii/SingleFactorAuthentication.ts b/test/suites/high-availability/scenarii/SingleFactorAuthentication.ts
deleted file mode 100644
index a31887a5e..000000000
--- a/test/suites/high-availability/scenarii/SingleFactorAuthentication.ts
+++ /dev/null
@@ -1,37 +0,0 @@
-import Logout from "../../../helpers/Logout";
-import { StartDriver, StopDriver } from "../../../helpers/context/WithDriver";
-import LoginOneFactor from "../../../helpers/behaviors/LoginOneFactor";
-import VerifySecretObserved from "../../../helpers/assertions/VerifySecretObserved";
-import VisitPage from "../../../helpers/VisitPage";
-import VerifyUrlIs from "../../../helpers/assertions/VerifyUrlIs";
-import VerifyIsSecondFactorStage from "../../../helpers/assertions/VerifyIsSecondFactorStage";
-
-/*
- * Those tests are related to single factor protected resources.
- */
-export default function() {
-  beforeEach(async function() {
-    this.driver = await StartDriver();
-  });
-
-  afterEach(async function() {
-    await Logout(this.driver);
-    await StopDriver(this.driver);
-  });
-
-  it("should redirect user after first stage", async function() {
-    await LoginOneFactor(this.driver, "john", "password", "https://single_factor.example.com:8080/secret.html");
-    await VerifySecretObserved(this.driver);
-  });
-
-  it("should redirect to portal if not enough authorized", async function() {
-    await LoginOneFactor(this.driver, "john", "password", "https://single_factor.example.com:8080/secret.html");
-    await VisitPage(this.driver, "https://admin.example.com:8080/secret.html");
-
-    // the url should be the one from the portal.
-    await VerifyUrlIs(this.driver, "https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html");
-
-    // And the user should end up on the second factor page.
-    await VerifyIsSecondFactorStage(this.driver);
-  });
-}
\ No newline at end of file
diff --git a/test/suites/high-availability/test.ts b/test/suites/high-availability/test.ts
index 25d5c951c..67aedd279 100644
--- a/test/suites/high-availability/test.ts
+++ b/test/suites/high-availability/test.ts
@@ -3,20 +3,19 @@ import MongoConnectionRecovery from "./scenarii/MongoConnectionRecovery";
 import EnforceInternalRedirectionsOnly from "./scenarii/EnforceInternalRedirectionsOnly";
 import AccessControl from "./scenarii/AccessControl";
 import CustomHeadersForwarded from "./scenarii/CustomHeadersForwarded";
-import SingleFactorAuthentication from "./scenarii/SingleFactorAuthentication";
 import BasicAuthentication from "./scenarii/BasicAuthentication";
 import AutheliaRestart from "./scenarii/AutheliaRestart";
 import AuthenticationRegulation from "./scenarii/AuthenticationRegulation";
+import SingleFactorAuthentication from "../../helpers/scenarii/SingleFactorAuthentication";
 
 AutheliaSuite(__dirname, function() {
   this.timeout(10000);
 
   describe('Custom headers forwarded to backend', CustomHeadersForwarded);
   describe('Access control', AccessControl);
-
   describe('Mongo broken connection recovery', MongoConnectionRecovery);
   describe('Enforce internal redirections only', EnforceInternalRedirectionsOnly);
-  describe('Single factor authentication', SingleFactorAuthentication);
+  describe('Single-factor authentication', SingleFactorAuthentication());
   describe('Basic authentication', BasicAuthentication);
   describe('Authelia restart', AutheliaRestart);
   describe('Authentication regulation', AuthenticationRegulation);
diff --git a/test/suites/kubernetes/README.md b/test/suites/kubernetes/README.md
new file mode 100644
index 000000000..779f2322c
--- /dev/null
+++ b/test/suites/kubernetes/README.md
@@ -0,0 +1,12 @@
+# Kubernetes suite
+
+This suite has been created to test Authelia in Kubernetes with a nginx-ingress-controller.
+
+## Components
+
+This suite spawns nginx-ingress-controller, redis, mongo, ldap and a fake webmail to catch
+emails sent by Authelia. The configuration of all those services is located in *example/kube*.
+
+## Tests
+
+This suite tests if single and two-factor is working.
diff --git a/test/suites/kubernetes/environment.ts b/test/suites/kubernetes/environment.ts
new file mode 100644
index 000000000..bc422bbac
--- /dev/null
+++ b/test/suites/kubernetes/environment.ts
@@ -0,0 +1,134 @@
+import KubernetesManager from '../../helpers/context/kubernetes/KubernetesManager';
+import Kubernetes from '../../helpers/context/kubernetes/Kubernetes';
+import { exec } from '../../helpers/utils/exec';
+import WaitUntil from '../../helpers/utils/WaitUntil';
+import { spawn, execSync, ChildProcess } from 'child_process';
+import treeKill = require('tree-kill');
+import Redis, { RedisClient } from 'redis';
+import sleep from '../../helpers/utils/sleep';
+
+let portFowardingProcess: ChildProcess;
+
+function arePodsReady(kubernetes: Kubernetes): boolean {
+  const lines = execSync('kubectl get -n authelia pods --no-headers', { env: {
+    KUBECONFIG: kubernetes.kubeConfig,
+    ...process.env,
+  }}).toString('utf-8').split("\n").filter((x) => x !== '');
+  console.log(lines.join('\n'));
+  return lines.reduce((acc, line) => {
+    return acc && line.indexOf('1/1') > -1;
+  }, true);
+}
+
+function servicesReady(kubernetes: Kubernetes): Promise<void> {
+  return WaitUntil(async () => arePodsReady(kubernetes),
+    300000, 15000, 5000);
+}
+
+function redisConnected(redisClient: RedisClient): Promise<void> {
+  return new Promise<void>((resolve, reject) => {
+    console.log('Wait for redis to be connected.');
+    redisClient.on('connect', function() {
+      resolve();
+    });
+  })
+}
+
+function redisPingOk(redisClient: RedisClient): Promise<boolean> {
+  return new Promise<boolean>((resolve, reject) => {
+    console.log('Send PING to redis.');
+    redisClient.ping((err, msg) => {
+      if (err) {
+        reject(err);
+        return;
+      }
+
+      if (msg == 'PONG') {
+        resolve(true);
+        return;
+      }
+      resolve(false);
+    });
+  });
+}
+
+async function redisReady(kubernetes: Kubernetes): Promise<void> {
+  const redisPortForward = spawn('kubectl',
+    ['port-forward', '-n', 'authelia', 'service/redis-service', '8080:6379'], {
+    env: {KUBECONFIG: kubernetes.kubeConfig, ...process.env}
+  });
+  // Wait for the port to be open.
+  await sleep(2000);
+
+  const redisClient = Redis.createClient({
+    port: 8080,
+    no_ready_check: true,
+    retry_strategy: () => 3000,
+  });
+
+  try {
+    await redisConnected(redisClient);
+    await WaitUntil(async() => await redisPingOk(redisClient), 30000, 5000);
+  } catch(err) {
+    console.error(err);
+  } finally {
+    treeKill(redisPortForward.pid);
+  }
+}
+
+function startAutheliaPortForwarding(kubernetes: Kubernetes) {
+  // Serve applications on port 8080
+  portFowardingProcess = spawn('kubectl',
+    ['port-forward', '-n', 'authelia', 'service/nginx-ingress-controller-service', '8080:443'], {
+    env: {KUBECONFIG: kubernetes.kubeConfig, ...process.env}
+  });
+}
+
+async function setup() {
+  let kubernetes: Kubernetes;
+  if (!process.env['KUBECONFIG']) {
+    kubernetes = await KubernetesManager.create();
+  } else {
+    kubernetes = new Kubernetes(process.env['KUBECONFIG'] as string);
+  }
+
+  await kubernetes.loadDockerImage('authelia:dist');
+  await kubernetes.loadDockerImage('authelia-example-backend');
+  
+  await exec('./bootstrap.sh', {
+    cwd: './example/kube',
+    env: {KUBECONFIG: kubernetes.kubeConfig}
+  });
+
+  await servicesReady(kubernetes);
+  await redisReady(kubernetes);
+  await exec('./bootstrap-authelia.sh', {
+    cwd: './example/kube',
+    env: {KUBECONFIG: kubernetes.kubeConfig}
+  });
+  await servicesReady(kubernetes);
+
+  startAutheliaPortForwarding(kubernetes);
+}
+
+async function teardown() {
+  if (portFowardingProcess) {
+    console.log('Stopping port forwarding (%s)...', portFowardingProcess.pid);
+    treeKill(portFowardingProcess.pid, 'SIGKILL');
+    // Wait for the signal to be sent.
+    await sleep(1000);
+  }
+
+  // if (process.env['KUBECONFIG']) return;
+  // await KubernetesManager.delete();
+}
+
+const setup_timeout = 300000;
+const teardown_timeout = 30000;
+
+export {
+  setup,
+  setup_timeout,
+  teardown,
+  teardown_timeout
+};
\ No newline at end of file
diff --git a/test/suites/kubernetes/test.ts b/test/suites/kubernetes/test.ts
new file mode 100644
index 000000000..17033315b
--- /dev/null
+++ b/test/suites/kubernetes/test.ts
@@ -0,0 +1,10 @@
+import AutheliaSuite from '../../helpers/context/AutheliaSuite';
+import TwoFactorAuthentication from '../../helpers/scenarii/TwoFactorAuthentication';
+import SingleFactorAuthentication from '../../helpers/scenarii/SingleFactorAuthentication';
+
+AutheliaSuite(__dirname, function() {
+  this.timeout(30000);
+
+  describe('Single-factor authentication', SingleFactorAuthentication(30000));
+  describe('Two-factor authentication', TwoFactorAuthentication(30000));
+});
\ No newline at end of file
diff --git a/test/suites/short-timeouts/config.yml b/test/suites/short-timeouts/config.yml
index 992f5b903..9aa9b5404 100644
--- a/test/suites/short-timeouts/config.yml
+++ b/test/suites/short-timeouts/config.yml
@@ -39,7 +39,7 @@ access_control:
   default_policy: deny
 
   rules:
-    - domain: single_factor.example.com
+    - domain: singlefactor.example.com
       policy: one_factor
 
     - domain: '*.example.com'
diff --git a/test/suites/short-timeouts/environment.ts b/test/suites/short-timeouts/environment.ts
index 6d865c6a9..8fa6b2f2a 100644
--- a/test/suites/short-timeouts/environment.ts
+++ b/test/suites/short-timeouts/environment.ts
@@ -20,9 +20,17 @@ async function setup() {
 }
 
 async function teardown() {
-  await dockerEnv.stop();
   await autheliaServer.stop();
-  await exec('rm -r /tmp/authelia/db');
+  await dockerEnv.stop();
+  await exec('rm -rf /tmp/authelia/db');
 }
 
-export { setup, teardown };
\ No newline at end of file
+const setup_timeout = 30000;
+const teardown_timeout = 30000;
+
+export {
+  setup,
+  setup_timeout,
+  teardown,
+  teardown_timeout
+};
\ No newline at end of file
diff --git a/test/suites/short-timeouts/scenarii/Inactivity.ts b/test/suites/short-timeouts/scenarii/Inactivity.ts
index a3a9172c5..a3c1c7170 100644
--- a/test/suites/short-timeouts/scenarii/Inactivity.ts
+++ b/test/suites/short-timeouts/scenarii/Inactivity.ts
@@ -1,7 +1,6 @@
 import LoginAndRegisterTotp from "../../../helpers/LoginAndRegisterTotp";
 import FillLoginPageWithUserAndPasswordAndClick from "../../../helpers/FillLoginPageAndClick";
 import ValidateTotp from "../../../helpers/ValidateTotp";
-import { WebDriver } from "selenium-webdriver";
 import VisitPageAndWaitUrlIs from "../../../helpers/behaviors/VisitPageAndWaitUrlIs";
 import VisitPage from "../../../helpers/VisitPage";
 import VerifyUrlIs from "../../../helpers/assertions/VerifyUrlIs";
@@ -20,47 +19,43 @@ export default function(this: Mocha.ISuiteCallbackContext) {
   })
 
   it("should disconnect user after inactivity period", async function() {
-    const driver = this.driver as WebDriver;
-    await VisitPageAndWaitUrlIs(driver, "https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html");
-    await FillLoginPageWithUserAndPasswordAndClick(driver, 'john', 'password', false);
-    await ValidateTotp(driver, this.secret);
-    await VerifyUrlIs(driver, "https://admin.example.com:8080/secret.html");
-    await VisitPageAndWaitUrlIs(driver, "https://home.example.com:8080/");
-    await driver.sleep(6000);
-    await driver.get("https://admin.example.com:8080/secret.html");
-    await VerifyUrlIs(driver, "https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html");
+    await VisitPageAndWaitUrlIs(this.driver, "https://login.example.com:8080/#/?rd=https://admin.example.com:8080/secret.html");
+    await FillLoginPageWithUserAndPasswordAndClick(this.driver, 'john', 'password', false);
+    await ValidateTotp(this.driver, this.secret);
+    await VerifyUrlIs(this.driver, "https://admin.example.com:8080/secret.html");
+    await VisitPageAndWaitUrlIs(this.driver, "https://home.example.com:8080/");
+    await this.driver.sleep(6000);
+    await this.driver.get("https://admin.example.com:8080/secret.html");
+    await VerifyUrlIs(this.driver, "https://login.example.com:8080/#/?rd=https://admin.example.com:8080/secret.html");
   });
 
   it('should disconnect user after cookie expiration', async function() {
-    const driver = this.driver as WebDriver;
-    await VisitPageAndWaitUrlIs(driver, "https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html");
-    await FillLoginPageWithUserAndPasswordAndClick(driver, 'john', 'password', false);
-    await ValidateTotp(driver, this.secret);
-    await VerifyUrlIs(driver, "https://admin.example.com:8080/secret.html");
-    await VisitPageAndWaitUrlIs(driver, "https://home.example.com:8080/");
+    await VisitPageAndWaitUrlIs(this.driver, "https://login.example.com:8080/#/?rd=https://admin.example.com:8080/secret.html");
+    await FillLoginPageWithUserAndPasswordAndClick(this.driver, 'john', 'password', false);
+    await ValidateTotp(this.driver, this.secret);
+    await VerifyUrlIs(this.driver, "https://admin.example.com:8080/secret.html");
+    await VisitPageAndWaitUrlIs(this.driver, "https://home.example.com:8080/");
 
-    await driver.sleep(4000);
-    await driver.get("https://admin.example.com:8080/secret.html");
-    await driver.sleep(2000);
-    await driver.get("https://admin.example.com:8080/secret.html");
-
-    await driver.sleep(2000);
-    await driver.get("https://admin.example.com:8080/secret.html");
-    await VerifyUrlIs(driver, "https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html");
+    await this.driver.sleep(4000);
+    await this.driver.get("https://admin.example.com:8080/secret.html");
+    await this.driver.sleep(2000);
+    await this.driver.get("https://admin.example.com:8080/secret.html");
 
+    await this.driver.sleep(2000);
+    await this.driver.get("https://admin.example.com:8080/secret.html");
+    await VerifyUrlIs(this.driver, "https://login.example.com:8080/#/?rd=https://admin.example.com:8080/secret.html");
   });
 
   describe('With remember me checkbox checked', function() {
     it("should keep user logged in after inactivity period", async function() {
-      const driver = this.driver as WebDriver;
-      await VisitPageAndWaitUrlIs(driver, "https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html");
-      await FillLoginPageWithUserAndPasswordAndClick(driver, 'john', 'password', true);
-      await ValidateTotp(driver, this.secret);
-      await VerifyUrlIs(driver, "https://admin.example.com:8080/secret.html");
-      await VisitPageAndWaitUrlIs(driver, "https://home.example.com:8080/");
-      await driver.sleep(6000);
-      await VisitPage(driver, "https://admin.example.com:8080/secret.html");
-      await VerifyUrlIs(driver, "https://admin.example.com:8080/secret.html");
+      await VisitPageAndWaitUrlIs(this.driver, "https://login.example.com:8080/#/?rd=https://admin.example.com:8080/secret.html");
+      await FillLoginPageWithUserAndPasswordAndClick(this.driver, 'john', 'password', true);
+      await ValidateTotp(this.driver, this.secret);
+      await VerifyUrlIs(this.driver, "https://admin.example.com:8080/secret.html");
+      await VisitPageAndWaitUrlIs(this.driver, "https://home.example.com:8080/");
+      await this.driver.sleep(6000);
+      await VisitPage(this.driver, "https://admin.example.com:8080/secret.html");
+      await VerifyUrlIs(this.driver, "https://admin.example.com:8080/secret.html");
     });
   });
 }
\ No newline at end of file